[Freeipa-users] Re: Chrome 58 - CN for IPA management console to include SANs

2017-05-24 Thread Prasun Gera via FreeIPA-users 
I see the replica listed under services idm's web-ui. It appears as "
HTTP/replica@DOMAIN". Is this normal ? I'm not sure if it's being tracked
for auto-renewal or if it was issued as a one time cert during setup. What
would be the steps to fix this ?

On Wed, May 24, 2017 at 12:00 AM, Alexander Bokovoy 
wrote:

> On ti, 23 touko 2017, Prasun Gera via FreeIPA-users wrote:
>
>> I posted this in the earlier thread, but didn't get a response. I was able
>> to fix this on the master, but "getcert list -d /etc/httpd/alias -n
>> "Server-Cert" on the replica doesn't return anything. Are the replica's
>> SSL
>> certs handled differently ?
>>
> I don't think there is any difference, not at least code-wise, for how
> HTTP service certificate is tracked in the case of IPA CA.
>
> In case of a replica promotion a request to issue HTTP service
> certificate is routed to the original IPA CA master (because the one we
> will have on the replica itself is not yet here). Either way, certmonger
> is set to track the same Server-Cert certificate in /etc/httpd/alias
> during server upgrade process that is one of the last steps when replica
> is installed.
>
> --
> / Alexander Bokovoy
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Chrome 58 - CN for IPA management console to include SANs

2017-05-23 Thread Alexander Bokovoy via FreeIPA-users 

On ti, 23 touko 2017, Prasun Gera via FreeIPA-users wrote:

I posted this in the earlier thread, but didn't get a response. I was able
to fix this on the master, but "getcert list -d /etc/httpd/alias -n
"Server-Cert" on the replica doesn't return anything. Are the replica's SSL
certs handled differently ?

I don't think there is any difference, not at least code-wise, for how
HTTP service certificate is tracked in the case of IPA CA.

In case of a replica promotion a request to issue HTTP service
certificate is routed to the original IPA CA master (because the one we
will have on the replica itself is not yet here). Either way, certmonger
is set to track the same Server-Cert certificate in /etc/httpd/alias
during server upgrade process that is one of the last steps when replica
is installed.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Chrome 58 - CN for IPA management console to include SANs

2017-05-23 Thread Jake via FreeIPA-users 
For clarity I want to restate the fix is as follows, which will retain the 
service restart functionality, tested on cent7 / ipa 4.4.0 

as root, one liner: 

getcert resubmit -i $(getcert list -d /etc/httpd/alias -n "Server-Cert" | grep 
-o '[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]') -D 
`hostname -f` -C /usr/libexec/ipa/certmonger/restart_httpd; 
/usr/libexec/ipa/certmonger/restart_httpd 

Thank You, 
-Jake 


From: "Prasun Gera" <prasun.g...@gmail.com> 
To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> 
Cc: "Jake" <em...@ml.jacobdevans.com>, "Alexander Bokovoy" 
<aboko...@redhat.com> 
Sent: Tuesday, May 23, 2017 4:09:14 PM 
Subject: Re: [Freeipa-users] Re: Chrome 58 - CN for IPA management console to 
include SANs 

I posted this in the earlier thread, but didn't get a response. I was able to 
fix this on the master, but " getcert list -d /etc/httpd/alias -n "Server-Cert 
" on the replica doesn't return anything. Are the replica's SSL certs handled 
differently ? 

On Tue, May 23, 2017 at 3:08 PM, Alexander Bokovoy via FreeIPA-users < [ 
mailto:freeipa-users@lists.fedorahosted.org | 
freeipa-users@lists.fedorahosted.org ] > wrote: 


On ti, 23 touko 2017, Jake via FreeIPA-users wrote: 

BQ_BEGIN
Worked! Thanks! 

I Suppose there isn't a way to get the output of getcert as 
JSON/object? I would prefer to do this with ansible =) 


Not directly. You may want to explore D-Bus interface provided by 
certmonger. 


BQ_BEGIN

Also, "sudo systemctl restart httpd" post renewal (looks like the hooks 
aren't configured for the cert renewal to restart dependent services.) 

BQ_END
For httpd certs configured by IPA install, there is a script that 
restarts httpd, as can be seen in 'post-save command' below: 

Request ID '20170215074615': 
status: MONITORING 
stuck: no 
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' 
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB' 
CA: IPA 
issuer: CN=Certificate Authority,O= [ http://example.com/ | EXAMPLE.COM ] 
subject: CN= [ http://ipa.example.com/ | ipa.example.com ] ,O= [ 
http://example.com/ | EXAMPLE.COM ] 
expires: 2019-01-29 18:11:46 UTC 
dns: [ http://ipa.example.com/ | ipa.example.com ] 
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment 
eku: id-kp-serverAuth,id-kp-clientAuth 
pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd 
track: yes 
auto-renew: yes 


-- 
/ Alexander Bokovoy 
___ 
FreeIPA-users mailing list -- [ mailto:freeipa-users@lists.fedorahosted.org | 
freeipa-users@lists.fedorahosted.org ] 
To unsubscribe send an email to [ 
mailto:freeipa-users-le...@lists.fedorahosted.org | 
freeipa-users-le...@lists.fedorahosted.org ] 

BQ_END


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org