William Muriithi wrote: > Afternoon > > I have been trying to renew FreeIPA certificate for the last three > days and I am running out of luck. I can't for example use the GUI > interface and the ipa cli tools are also failing since the certificate > expired on 27th last month. I have followed the instructions below > but may be missing a step. > > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal > > Below is what I have done. I seem to have renewed some certificate > successfully. > > > [root@ipa1-yyz-int 10.30.2014]# cat certificate_status.sh #!/bin/bash > > for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert > cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca" > do > echo $nickname > certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after > done > > > [root@ipa1-yyz-int 10.30.2014]# ./certificate_status.sh > auditSigningCert cert-pki-ca > Not After : Thu Apr 23 22:18:47 2015 ocspSigningCert cert-pki-ca > Not After : Fri Oct 14 22:17:47 2016 subsystemCert cert-pki-ca > Not After : Fri Oct 14 22:17:47 2016 Server-Cert cert-pki-ca > Not After : Fri Oct 14 22:17:48 2016 > > > I think I have done the steps above correctly but dont understand this section > > [root@ipa1-yyz-int 10.30.2014]# certutil -L -d /etc/httpd/alias -n ipaCert > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 7 (0x7) > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=Certificate Authority,O=EXAMPLE.LOC" > Validity: > Not Before: Tue Nov 06 21:35:53 2012 > Not After : Mon Oct 27 21:35:53 2014 > > As you can see below, this certificate was not renewed, and therefore > I couldnt change the serial # through ldap tools. Which step would I > have missed, or rather what should I re-run? > > > Would be grateful for a second eye looking at it and advice what I > could be missing. > > I know I am using old software and did setup a replica successfully on > Friday but it also have certificate issues. I plan to move all the > certificate role to the free-IPA 3 once I get the certificate issues > sorted and decommission Free-IPA 2.2
Is certmonger tracking the certificate? Run this to see: # getcert list -d /etc/httpd/alias -n ipaCert If so then try this: # getcert resubmit -d /etc/httpd/alias -n ipaCert This will only work if you've updated the renewed certificates in CS.cfg and you've fixed the NSS database trust for the audit cert. If/once that is renewed then you can do the other steps. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
