Hi Rob. You are right that I should be able to just update it on our second server. What happened was I was trying to see if the certificate would work on the install process since I couldn't figure out the renewal. This did not work, which is why I just sent out an update of my new LDAP error. If I understand you correctly, I somehow need to add the new trust chain to both sides. How would I go about doing that?
Joe -- Dr. Joseph T. Foley <fo...@ru.is> Assistant Professor, Reykjavik University +354-599-6569 On 3/22/16 1:44 PM, "Rob Crittenden" <rcrit...@redhat.com> wrote: >Joseph Timothy Foley wrote: >> Hi Rob. >> >> To add to this mess, I seem to have somehow confused the LDAP >> certificate configuration in the process of setting up a replicant >> (ipa.cs.ru.is) with my new StartSSL (personal) certificate. The >> previous certificate was a corporate Level2 certificate. Trying to use >> the old certificate (which expires tomorrow) doesn't seem to put it back >> in working order. > >I thought you just needed to update the certificate. Why are you >creating a new replica? > >My own StartSSL Server cert expires in a month and I just renewed it >this morning. They have a new subordinate CA, that might be part of the >problem (both sides need to trust it). I'd look in the access log of the >remote 389-ds server to see what error it threw (and the local one too I >suppose). > >But really, you should be able to replace the certs using certutil, not >re-install the whole thing. > >rob > > >> This is what I did to make the pkcs file: >> >> cp ipa.cs.ru.is.crt ipa.cs.ru.is-bundle.crt >> cat certs/ca-bundle.crt >> ipa.cs.ru.is-bundle.crt (the ca-bundle is >> the root_bundle.crt they now send you in a zip file) >> >> openssl pkcs12 -export -in ipa.cs.ru.is-bundle.crt -inkey >> private/ipa.cs.ru.is.key -out ipa.cs.ru.is.p12 -name ipa.cs.ru.is >> >> ipa-replica-prepare --http-cert-file ipa.cs.ru.is.p12 --http-pin XXXXX >> --dirsrv-cert-file ipa.cs.ru.is.p12 --dirsrv-pin XXXXX ipa.cs.ru.is >> >> Then copied it to ipa.cs.ru.is and ran >> ipa-replica-install --mkhomedir replica-info-ipa.cs.ru.is.gpg >> >> Everything looks fine until: >> [24/38]: setting up initial replication >> Starting replication, please wait until this has completed. >> >> [ipa2.cs.ru.is] reports: Update failed! Status: [-11 - LDAP error: >> Connect error] >> >> [error] RuntimeError: Failed to start replication >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to >> start replication >> >> >> Looking at the setup log in /var/log/ipareplica-install.log: >> >> 2016-03-22T08:49:22Z DEBUG retrieving schema for SchemaCache >> url=ldap://ipa2.cs.ru.is:389 conn=<ldap.ldapobject.SimpleLDAPObject >> instan\ >> ce at 0x8cfc908> >> 2016-03-22T08:49:23Z DEBUG Successfully updated nsDS5ReplicaId. >> 2016-03-22T08:49:23Z DEBUG flushing ldaps://ipa.cs.ru.is:636 from >> SchemaCache >> 2016-03-22T08:49:23Z DEBUG retrieving schema for SchemaCache >> url=ldaps://ipa.cs.ru.is:636 conn=<ldap.ldapobject.SimpleLDAPObject >> instan\ >> ce at 0x8a01830> >> 2016-03-22T08:49:24Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 418, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 408, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >> 377, in __setup_replica >> r_bindpw=self.dm_password) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 1014, in setup_replication >> raise RuntimeError("Failed to start replication") >> RuntimeError: Failed to start replication >> >> 2016-03-22T08:49:24Z DEBUG [error] RuntimeError: Failed to start >> replication >> 2016-03-22T08:49:24Z DEBUG Destroyed connection context.ldap2_102284432 >> 2016-03-22T08:49:24Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >> execute >> return_value = self.run() >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>line >> 311, in run >> cfgr.run() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 281, in run >> self.execute() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 303, in execute >> for nothing in self._executor(): >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> self._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> util.raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> step() >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 524, in _configure >> executor.next() >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> self._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in _handle_exception >> self.__parent._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> util.raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 418, in _handle_exception >> super(ComponentBase, self)._handle_exception(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> util.raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> step() >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> raise_exc_info(exc_info) >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> value = gen.send(prev_value) >> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >> line 63, in _install >> for nothing in self._installer(self.parent): >> File >> >>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>.py", line 879, in main >> install(self) >> File >> >>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>.py", line 295, in decorated >> func(installer) >> File >> >>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>.py", line 566, in install >> ds = install_replica_ds(config) >> >> File >> >>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall >>.py", line 77, in install_replica_ds >> ca_file=config.dir + "/ca.crt", >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >> 364, in create_replica >> self.start_creation(runtime=60) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 418, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 408, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >> 377, in __setup_replica >> r_bindpw=self.dm_password) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 1014, in setup_replication >> raise RuntimeError("Failed to start replication") >> >> 2016-03-22T08:49:24Z DEBUG The ipa-replica-install command failed, >> exception: RuntimeError: Failed to start replication >> 2016-03-22T08:49:24Z ERROR Failed to start replication >> >> On Mon, 2016-03-21 at 15:47 -0400, Rob Crittenden wrote: >>> Joseph Timothy Foley wrote: >>>> I just discovered that the certificate on ipa2.cs.ru.is is good to >>>>August, >>>> so I have a little bit of breathing room. That said, the ipa.cs.ru.is >>>> certificate will expire on March 23, so I need to update it. >>> >>> The process to get a new cert is pretty much the same as you obtained >>> the original assuming you kept the original CSR. You'd re-submit that >>>to >>> StartSSL and they will provide a new certificate in PEM format. >>> >>> Add that to the relevant database via: >>> >>> # certutil -A -n "Server-Cert" -d /path/to/db -t u,u,u -a -i /path/to >>> cert.pem >>> >>> I can't give much more specific information without knowing if you are, >>> for example, using the came cert/key for both 389-ds and Apache. >>> >>> rob >>> >>>> -- >>>> Dr. Joseph T. Foley <fo...@ru.is> Assistant Professor, Reykjavik >>>> University +354-599-6569 >>>> >>>> >>>> >>>> On 3/21/16 6:27 PM, "Joseph Timothy Foley" <fo...@ru.is> wrote: >>>> >>>>> Hi there. >>>>> I setup an IPA4.2.0 on RHEL7 service for our CS department on >>>>> ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is >>>>> I used StartSSL to sign our certificate for HTTP and LDAP usage >>>>>because I >>>>> didn't want our users to deal with the internal CA nor could we get >>>>>the CA >>>>> certificate signed. Problem is, I can't find any information on how >>>>>to >>>>> get the new certificates installed on the running IPA server. They >>>>>expire >>>>> in 2 days, so I'm running out of time. Any help would be greatly >>>>> appreciated. >>>>> >>>>> I can only find information on how to setup these certificates on a >>>>>brand >>>>> new IPA or replicant. There isn't any obvious information on how to >>>>>put >>>>> updated certificates into a running instance. >>>>> >>>>> Thanks in advance. >>>>> >>>>> Joe >>>>> -- >>>>> Dr. Joseph T. Foley <fo...@ru.is> Assistant Professor, Reykjavik >>>>> University +354-599-6569 >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project