Re: [Freeipa-users] Fw: Need to replace cert for ipa servers
sipazzo wrote: Ok I finally was able to get a sandbox environment up to test the cert replacement. When I ran this stepgot to the cert request steps: ipa-getcert request -d /etc/dirsrv/slapd-IPADOMAIN-COM -n Server-Cert -p /etc/dirsrv/slapd-IPADOMAIN-COM/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv IPADOMAIN-COM' -N CN=idm2-corp.ipadomain.com -K ldap/ipa2-corp.ipadomain@ipadomain.com I got a message saying the cert at same location is already used by request with nickname 20140729215511 , same when I ran it for /etc/httpd/alias. I continued on anyway but when I get to this step: You need to tell certmonger to stop tracking the existing GoDaddy certs, not that they would have been renewable anyway. You may also need to remove them from the NSS database(s) using something like: # certutil -D -n 'nickname' -d /path/to/db I think the subject will be different enough that it may be ok as-is. The other errors are due to the fact that no certificate was issued. rob # certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM I get an error: certutil: could not find certificate named Server-Cert: PR_FILE_NOT_FOUND_ERROR: File not found Although running certutil -L -d /etc/dirsrv/slapd-IPADOMAIN-COM/, returns this: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI GD_CACT,C,C IPADOMAIN.COM IPA CA CT,, NWF_GD u,u,u Showing that the IPA Dogtag cert is now listed whereas it was not previously. *From:* sipazzo sipa...@yahoo.com *To:* Rob Crittenden rcrit...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Friday, March 13, 2015 1:32 PM *Subject:* Re: [Freeipa-users] Fw: Need to replace cert for ipa servers This environment is over 350 servers, many of which are in production so I may have to wait a bit for change management approval to attempt to resolve this issue, particularly if you think it might break something. I will keep you updated on my progress. Thank you much. *From:* sipazzo sipa...@yahoo.com *To:* Rob Crittenden rcrit...@redhat.com *Cc:* freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Friday, March 13, 2015 9:21 AM *Subject:* Re: [Freeipa-users] Fw: Need to replace cert for ipa servers -Original Message- From: freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Thursday, March 12, 2015 1:52 PM To: sipazzo; freeipa-users@redhat.com mailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers sipazzo wrote: I do have other CAs (just not the master but it is available offline if needed) To be clear, all IPA servers are masters, some just run more services than others. It sounds like you have at least one CA available which should be sufficient. Directory server is running The apache web server is running and I can get to the gui ipa cert-show 1 works Ok. I guess the place to start is to get certs for Apache and 389-ds, then we can see about using these new certs. In the thread you showed that the IPA 389-ds doesn't have a Server-Cert nickname. You'll want to do the same for /etc/httpd/alias before running the following commands otherwise you could end up with non-functional server. These should get IPA certs for 389-ds and Apache. You'll need to edit these commands to match your environment: # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd -N CN=ipa.example.com -K HTTP/ipa.example@example.com mailto:ipa.example@example.com # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -p /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM' -N CN=ipa.example.com -K ldap/ipa.example@example.com mailto:ipa.example@example.com I'd do them one at a time and wait until the cert is issued and tracked. This will restart both Apache and 389-ds but it shouldn't affect operation because the certs won't be used yet. You then need to get the old CA cert and put it into the right places. Since it is already in the PKI-IPA NSS database let's fetch it from there. For giggles you should probably save whatever the contents of /etc/ipa/ca.crt are before-hand. # certutil -L -d /etc/dirsrv/slapd-PKI-IPA -n 'IPADOMAIN.COM IPA CA' -a /etc/ipa/ca.crt Now add that to the Apache and 389-ds databases
Re: [Freeipa-users] Fw: Need to replace cert for ipa servers
Ok I finally was able to get a sandbox environment up to test the cert replacement. When I ran this stepgot to the cert request steps:ipa-getcert request -d /etc/dirsrv/slapd-IPADOMAIN-COM -n Server-Cert -p /etc/dirsrv/slapd-IPADOMAIN-COM/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv IPADOMAIN-COM' -N CN=idm2-corp.ipadomain.com -K ldap/ipa2-corp.ipadomain@ipadomain.com I got a message saying the cert at same location is already used by request with nickname 20140729215511 , same when I ran it for /etc/httpd/alias. I continued on anyway but when I get to this step: # certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM I get an error: certutil: could not find certificate named Server-Cert: PR_FILE_NOT_FOUND_ERROR: File not found Although running certutil -L -d /etc/dirsrv/slapd-IPADOMAIN-COM/, returns this: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI GD_CA CT,C,C IPADOMAIN.COM IPA CA CT,, NWF_GD u,u,u Showing that the IPA Dogtag cert is now listed whereas it was not previously. From: sipazzo sipa...@yahoo.com To: Rob Crittenden rcrit...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Friday, March 13, 2015 1:32 PM Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers This environment is over 350 servers, many of which are in production so I may have to wait a bit for change management approval to attempt to resolve this issue, particularly if you think it might break something. I will keep you updated on my progress. Thank you much. From: sipazzo sipa...@yahoo.com To: Rob Crittenden rcrit...@redhat.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Friday, March 13, 2015 9:21 AM Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Thursday, March 12, 2015 1:52 PM To: sipazzo; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers sipazzo wrote: I do have other CAs (just not the master but it is available offline if needed) To be clear, all IPA servers are masters, some just run more services than others. It sounds like you have at least one CA available which should be sufficient. Directory server is running The apache web server is running and I can get to the gui ipa cert-show 1 works Ok. I guess the place to start is to get certs for Apache and 389-ds, then we can see about using these new certs. In the thread you showed that the IPA 389-ds doesn't have a Server-Cert nickname. You'll want to do the same for /etc/httpd/alias before running the following commands otherwise you could end up with non-functional server. These should get IPA certs for 389-ds and Apache. You'll need to edit these commands to match your environment: # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd -N CN=ipa.example.com -K HTTP/ipa.example@example.com # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -p /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM' -N CN=ipa.example.com -K ldap/ipa.example@example.com I'd do them one at a time and wait until the cert is issued and tracked. This will restart both Apache and 389-ds but it shouldn't affect operation because the certs won't be used yet. You then need to get the old CA cert and put it into the right places. Since it is already in the PKI-IPA NSS database let's fetch it from there. For giggles you should probably save whatever the contents of /etc/ipa/ca.crt are before-hand. # certutil -L -d /etc/dirsrv/slapd-PKI-IPA -n 'IPADOMAIN.COM IPA CA' -a /etc/ipa/ca.crt Now add that to the Apache and 389-ds databases: # certutil -A -n 'IPADOMAIN.COM IPA CA' -d /etc/httpd/alias -t CT,C, -a -i /etc/ipa/ca.crt # certutil -A -n 'IPADOMAIN.COM IPA CA' -d /etc/dirsrv/slapd-EXAMPLE-COM -t CT,, -a -i /etc/ipa/ca.crt Next add it to /etc/pki/nssdb if it isn't already there: # certutil -A -n 'IPA CA' -d /etc/pki/nssdb -t CT,C,C -a -i /etc/ipa/ca.crt Next, verify that the newly issued certs are trusted: # certutil -V -u V -n Server-Cert -d /etc/httpd/alias # certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM Both should return: certutil: certificate is valid Next is to configure the services to use the new certs. I'd stop IPA to do this: ipactl stop Edit /etc/httpd/conf.d/nss.conf and change the NSSNickname to Server-Cert Edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif and set nsSSLPersonalitySSL to Server
Re: [Freeipa-users] Fw: Need to replace cert for ipa servers
This environment is over 350 servers, many of which are in production so I may have to wait a bit for change management approval to attempt to resolve this issue, particularly if you think it might break something. I will keep you updated on my progress. Thank you much. From: sipazzo sipa...@yahoo.com To: Rob Crittenden rcrit...@redhat.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Friday, March 13, 2015 9:21 AM Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Thursday, March 12, 2015 1:52 PM To: sipazzo; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers sipazzo wrote: I do have other CAs (just not the master but it is available offline if needed) To be clear, all IPA servers are masters, some just run more services than others. It sounds like you have at least one CA available which should be sufficient. Directory server is running The apache web server is running and I can get to the gui ipa cert-show 1 works Ok. I guess the place to start is to get certs for Apache and 389-ds, then we can see about using these new certs. In the thread you showed that the IPA 389-ds doesn't have a Server-Cert nickname. You'll want to do the same for /etc/httpd/alias before running the following commands otherwise you could end up with non-functional server. These should get IPA certs for 389-ds and Apache. You'll need to edit these commands to match your environment: # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd -N CN=ipa.example.com -K HTTP/ipa.example@example.com # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -p /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM' -N CN=ipa.example.com -K ldap/ipa.example@example.com I'd do them one at a time and wait until the cert is issued and tracked. This will restart both Apache and 389-ds but it shouldn't affect operation because the certs won't be used yet. You then need to get the old CA cert and put it into the right places. Since it is already in the PKI-IPA NSS database let's fetch it from there. For giggles you should probably save whatever the contents of /etc/ipa/ca.crt are before-hand. # certutil -L -d /etc/dirsrv/slapd-PKI-IPA -n 'IPADOMAIN.COM IPA CA' -a /etc/ipa/ca.crt Now add that to the Apache and 389-ds databases: # certutil -A -n 'IPADOMAIN.COM IPA CA' -d /etc/httpd/alias -t CT,C, -a -i /etc/ipa/ca.crt # certutil -A -n 'IPADOMAIN.COM IPA CA' -d /etc/dirsrv/slapd-EXAMPLE-COM -t CT,, -a -i /etc/ipa/ca.crt Next add it to /etc/pki/nssdb if it isn't already there: # certutil -A -n 'IPA CA' -d /etc/pki/nssdb -t CT,C,C -a -i /etc/ipa/ca.crt Next, verify that the newly issued certs are trusted: # certutil -V -u V -n Server-Cert -d /etc/httpd/alias # certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM Both should return: certutil: certificate is valid Next is to configure the services to use the new certs. I'd stop IPA to do this: ipactl stop Edit /etc/httpd/conf.d/nss.conf and change the NSSNickname to Server-Cert Edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif and set nsSSLPersonalitySSL to Server-Cert Now try to start the world: ipactl start Run a few commands: # ipa user-show admin # ipa cert-show 1 Both should work. Assuming all has gone well to this point, copy /etc/ipa/ca.crt to /usr/share/ipa/html/ca.crt Finally run: ipa-ldap-updater --upgrade This should load the new CA certificate into LDAP. This has the potential to break a whole bunch of your clients. It is probably enough to just copy over the new CA cert to the right location(s) on the clients. The mechanics of this depend on the OS. Are the TLS errors due to the mismatch in certs between slapd-PKI-CA and slapd-NETWORKFLEET-COM? No, has nothing to do with the CA at all. The client doesn't have (or trust) the CA that issued the LDAP server cert. rob -Original Message- From: freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Wednesday, March 11, 2015 7:20 PM To: sipazzo; freeipa-users@redhat.com mailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Need to replace cert for ipa servers sipazzo wrote: Thanks Rob, I apologize that error was probably not helpful. This is what I see when running install in debug mode: Verifying that ipa2-corp.networkfleet.com (realm EXAMPLE.COM) is an IPA server Init LDAP connection with: ldap://ipa2-corp.networkfleet.com:389 LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized
Re: [Freeipa-users] Fw: Need to replace cert for ipa servers
sipazzo wrote: I do have other CAs (just not the master but it is available offline if needed) To be clear, all IPA servers are masters, some just run more services than others. It sounds like you have at least one CA available which should be sufficient. Directory server is running The apache web server is running and I can get to the gui ipa cert-show 1 works Ok. I guess the place to start is to get certs for Apache and 389-ds, then we can see about using these new certs. In the thread you showed that the IPA 389-ds doesn't have a Server-Cert nickname. You'll want to do the same for /etc/httpd/alias before running the following commands otherwise you could end up with non-functional server. These should get IPA certs for 389-ds and Apache. You'll need to edit these commands to match your environment: # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd -N CN=ipa.example.com -K HTTP/ipa.example@example.com # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -p /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM' -N CN=ipa.example.com -K ldap/ipa.example@example.com I'd do them one at a time and wait until the cert is issued and tracked. This will restart both Apache and 389-ds but it shouldn't affect operation because the certs won't be used yet. You then need to get the old CA cert and put it into the right places. Since it is already in the PKI-IPA NSS database let's fetch it from there. For giggles you should probably save whatever the contents of /etc/ipa/ca.crt are before-hand. # certutil -L -d /etc/dirsrv/slapd-PKI-IPA -n 'IPADOMAIN.COM IPA CA' -a /etc/ipa/ca.crt Now add that to the Apache and 389-ds databases: # certutil -A -n 'IPADOMAIN.COM IPA CA' -d /etc/httpd/alias -t CT,C, -a -i /etc/ipa/ca.crt # certutil -A -n 'IPADOMAIN.COM IPA CA' -d /etc/dirsrv/slapd-EXAMPLE-COM -t CT,, -a -i /etc/ipa/ca.crt Next add it to /etc/pki/nssdb if it isn't already there: # certutil -A -n 'IPA CA' -d /etc/pki/nssdb -t CT,C,C -a -i /etc/ipa/ca.crt Next, verify that the newly issued certs are trusted: # certutil -V -u V -n Server-Cert -d /etc/httpd/alias # certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM Both should return: certutil: certificate is valid Next is to configure the services to use the new certs. I'd stop IPA to do this: ipactl stop Edit /etc/httpd/conf.d/nss.conf and change the NSSNickname to Server-Cert Edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif and set nsSSLPersonalitySSL to Server-Cert Now try to start the world: ipactl start Run a few commands: # ipa user-show admin # ipa cert-show 1 Both should work. Assuming all has gone well to this point, copy /etc/ipa/ca.crt to /usr/share/ipa/html/ca.crt Finally run: ipa-ldap-updater --upgrade This should load the new CA certificate into LDAP. This has the potential to break a whole bunch of your clients. It is probably enough to just copy over the new CA cert to the right location(s) on the clients. The mechanics of this depend on the OS. Are the TLS errors due to the mismatch in certs between slapd-PKI-CA and slapd-NETWORKFLEET-COM? No, has nothing to do with the CA at all. The client doesn't have (or trust) the CA that issued the LDAP server cert. rob -Original Message- From: freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Wednesday, March 11, 2015 7:20 PM To: sipazzo; freeipa-users@redhat.com mailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Need to replace cert for ipa servers sipazzo wrote: Thanks Rob, I apologize that error was probably not helpful. This is what I see when running install in debug mode: Verifying that ipa2-corp.networkfleet.com (realm EXAMPLE.COM) is an IPA server Init LDAP connection with: ldap://ipa2-corp.networkfleet.com:389 LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized. Verifying that ipa1-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA server Init LDAP connection with: ldap://ipa1-xo.networkfleet.com:389 LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized. Verifying that ipa1-io.networkfleet.com (realm EXAMPLE.COM) is an IPA server Init LDAP connection with: ldap://ipa1-io.networkfleet.com:389 LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized. Verifying that ipa2-io.networkfleet.com (realm EXAMPLE.COM) is an IPA server Init LDAP connection with: ldap://ipa2-io.networkfleet.com:389 LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized. Verifying that ipa2-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA server Init LDAP connection with: ldap://ipa2-xo.networkfleet.com:389 LDAP