On 09/20/2016 02:15 PM, Günther J. Niederwimmer wrote:
Hello.
Thanks for the first help,
Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud:
On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:
Hello,
Freeipa 4.3.1
I have now install a 3rd Party Certificat from Startcom now my IPA is
total
broken?
ipa-cacert-manage -p 'xxxxxxxxxxxxxxxx' -n STARTCOM-ROOT -t C,, install
root.crt
I mean this is the wrong cert I installed :-(.
Is it possible to overwrite or delete and make it new. this file is the ROOT-CA
from STARTCOM ("30 Years")
Hi,
ipa-cacert-manage install *adds* the CA certificate to the list of CA
certs (it does not replace the CA cert), meaning that it can be run
multiple times with different certificates. After this step, you can
find all your CA certificates in the ldap server, below
cn=certificates,cn=ipa,cn=etc,$BASEDN
So in your case, you can re-run this command, this time with the right
CA cert. Then do not forget to run ipa-certupdate on all the ipa
replicas/clients in order to install the new CA cert on the relevant NSS
databases. It is important to run ipa-certupdate before IPA services are
restarted with the new certs (otherwise ipa-certupdate cannot contact
the LDAP server to download the new certificates).
If you forgot to run ipa-certupdate on the clients, I guess you can fix
this by installing the new CA cert in /etc/ipa/nssdb with C,, flags.
HTH,
Flo
ipa-certupdate
ipa-server-certinstall -w -d ipa_3rd_ca.p12
This was wrong, I delete all this installed certs with
Certutil -d . -D -n xxxxxxx
I create this p12 with key.pem, cert.pem root.crt
now i create a new p12 with I hope the correct certs
I become from Startcom a httpd zip file with 1_root_bundle.crt ("15 Years")and
my wild-card Certificate this I included in my new created p12 with my key.pem.
This p12 I Installed on the first master with
pk12util -v -i ipa_4gjn_ca.p12 -d /etc/httpd/alias -k
/etc/httpd/alias/pwdfile.txt -W xxxxxxxx
pk12util -v -i ipa_4gjn_ca.p12 -d /etc/dirsrv/slapd-4GJN-COM -k
/etc/dirsrv/slapd-4GJN-COM/pwdfile.txt -W xxxxxxx
and
pk12util -v -i ipa_4gjn_ca.p12 -d /var/lib/pki/pki-tomcat/alias -k
/etc/pki/pki-tomcat/pwdfile.txt -W xxxxxxxxx
I change the nss.conf and I hope the correct file in /etc/dirsrv/slapd-
XXXX/dsl.ldif
Then I change in all NSS DB the StartCOM Cert (1_root_bundle.crt) with name
STARTCOM-ROOT to
certutil -d . -M -t C,, -n STARCOM-ROOT
afterward I make a reboot and a test
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Why is ipa-ods-exporter Service always STOPPED ??
The next I Test a login on the Web UI from IPA, this is now also working ;-)
the QUESTION is now what is with the second master and the IPA- clients
Now (?) I have also found the ipa-backup ;-) OK, for the next Problem now I
know it :-).
Have I to repeat this all on the second Master ?
and what is the correct way to inform the clients ?
Thanks again for a answer,
Hi,
there were some issues with ipa-server-certinstall (see tickets #4785,
#4786 and #6263).
In order to check your configuration, you must make sure that the NSS
DBs for Apache and the LDAP server (/etc/httpd/alias,
/var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain:
- the server certificate with flags u,u,u (= the one contained in
ipa_3rd_ca.p12)
- the certificate of the CA which signed the server certificate, with
flags C,, (= the one contained in root.rt)
Then you can also check if the nickname for the server cert is properly
set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in
the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute
nsSSLPersonalitySSL).
If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may
provide more information.
Also note that it is important to run ipa-certupdate on all the clients
and replicas in order to install the new certificates in the NSS DBs
*before* you run ipa-server-certinstall.
Hope this helps,
Flo.
the kerberos don't start anymore ?
The Error Is
Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for
realm>
'4GJN.COM'
after insert in nss.conf
"NSSEnforceValidCerts off"
ipactl restart is starting (?) but
ipactl status tell me
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
with certutil -d /etc/httpd/alias -L I have now this
Certificate Nickname Trust
Attributes>
SSL,S/MIME,JA
R/XPI
Signing-Cert u,u,u
4GJN_CA_FILE u,u,u
ipaCert u,u,u
4GJN.COM IPA CA CT,C,C
STARTCOM-ROOT C,,
I can Insert in nss.conf by the
#NSSNickname "Signing-Cert" original
or
NSSNickname 4GJN_CA_FILE but all is now broken ?
I also add this, found in Bugzilla
certutil -d /var/lib/pki/pki-tomcat/alias -L
Certificate Nickname Trust
Attributes>
SSL,S/MIME,JA
R/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
STARTCOM-ROOT CT,,
this is created in the
certutil -d /etc/dirsrv/slapd-4GJN.COM -L
Certificate Nickname Trust
Attributes>
SSL,S/MIME,JA
R/XPI
4GJN_CA_FILE u,u,u
4GJN.COM IPA CA CT,C,C
STARTCOM-ROOT C,,
Can any help a little, please ;-)
The bad Problem, I tested this with my master server with DNS / DNSSEC I
can't new install (DNSSEC Keys)
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
