On 12/04/2013 06:58 PM, Erinn Looney-Triggs wrote: > On 12/04/2013 07:15 AM, Rob Crittenden wrote: >> Erinn Looney-Triggs wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>> >>> On 11/27/2013 11:11 AM, Rob Crittenden wrote: >>>> Erinn Looney-Triggs wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> >>>>> >>>>> >>>>> On 11/25/2013 11:09 AM, Rob Crittenden wrote: >>>>>> Erinn Looney-Triggs wrote: >>>>>>> Folks just wanted to touch base again before the American >>>>>>> holiday season starts. My CA, which is subordinate to AD CS >>>>>>> will be expiring on December 9th, I submitted a bug, y'all >>>>>>> drew up docs etc for a plan (thanks). Now I just wanted to see >>>>>>> how it was going and if need be what manual steps I will need >>>>>>> to take to renew the certificate. >>>>>>> >>>>>>> Thanks again for the great work, >>>>>> >>>>>> We're working on an a set of tools to make this easier. For now >>>>>> I've appended some manual instructions onto a page still in >>>>>> progress. >>>>>> >>>>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>> >>>>>> > >>>>>> Some parts may be still be a little rough or hard to understand. >>>>>> Let me know if you have any problems or corrections. >>>>>> >>>>>> rob >>>>> >>>>> Rob, >>>>> >>>>> Thanks for the instructions, a few questions. >>>>> >>>>> What sort of interruption in service could this create? >>>> >>>> Services will be restarted during this process including your LDAP, >>>> Apache and CA instances. Downtime should be relatively short, no >>>> more than a few minutes combined. >>>> >>>>> Can you expand on this section a little bit: Replace the value of >>>>> ca.signing.cert in /etc/pki-ca/CS.cfg. This is the base64 value of >>>>> the certificate. You can obtain this by removing the BEGIN/END >>>>> blocks from ipa.crt and compressing it into a single line. >>>> >>>> A PEM cert looks like: >>>> >>>> -----BEGIN CERTIFICATE----- >>>> MIIB/zCCAWigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBB >>>> >>>> > IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIyMzIyMzMxNVoXDTIw >>>> MDIyMzIyMzMxNVowKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0 >>>> >>>> > aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+G6ultyLaXqzBlypA >>>> DnOsinkMTlZZssTFQh/QUMi1F1fcn8QUlmsl9a+l6w6hfZm7P8z3sVwsjLQcDWA4 >>>> >>>> > KxOh+LmIsNL4OKx4wKF1q/pSt1PATRU5Pgu2+3wlwJO0H7cl4QfavoOLwmxAZf/l >>>> ZNIy/5czvSWFWj7EJj16ty9BeQIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcw >>>> >>>> > DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAsQwDQYJKoZIhvcNAQEFBQAD >>>> gYEAl0gIshwNkhyfNe1XMLswPeOgH5YN1BUuKXzbv1fuSIkArjwLODr4cOdXzQvt >>>> >>>> > yaiX6Z+pRC/sK8MgLhPxV2X9QVQdzKfLkVGIdboCt1j3EXxSUCZeIuSKouitkWYe >>>> eSH9DQkYDp/oKgANLWnY7CNorPz6xQktp1pB0DGohV1BeTA= -----END >>>> CERTIFICATE----- >>>> >>>> You need to drop the BEGIN/END blocks then combine all the lines >>>> into a single line, so you have a unified base64 blog. It will look >>>> like: >>>> >>>> ca.signing.cert=MII...B0DGohV1BeTA= >>>> >>>> I was afraid wrapping woudl destroy my demonstration so I used >>>> ellipses instead. >>>> >>>>> Thanks and happy Thanksgiving, >>>> >>>> You're welcome. You too. >>>> >>>> rob >>>> >>> >>> Ok I have done the steps as outlined. One small suggestion and one >>> question came up. >>> >>> Suggestion: for the ldapmodify command indicate that a ctl-d is >>> necessary to end input. Most folks will know this, but some may not. >>> >>> For the client section you have me copy the newly signed subordnate CA >>> certificate into /etc/ipa/ca.crt. However, on my hosts that was >>> actually a copy of the AD CS certificate, not the subordinate >>> certificate. In the case of a subordinate installation do you want the >>> root or the subordinate CA? It would seem that the root would be >>> broader, but I just want to make sure. >>> > >> The IPA CA cert should be sufficient. > >> rob > > > Thanks, and just for an update, the switch over was made, certmonger is > happily updating certs now on all hosts and everything just appears to be > working thus far, minus the replication of the agent certificate which I > am still looking into. > > Thanks for the help, > > -Erinn
Great, I am glad to hear that. Note that we were investigating renewing certificates and clones and found out an issue in Python readline that prevented a renewal of the IPA agent certificate: https://fedorahosted.org/freeipa/ticket/4064 Could this be the reason of your issues? Did you saw a crash of certmonger during the renewal? It was found out to be happening due to the aforementioned bug. Thanks, Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
