[Freeipa-devel] certificate renewal
Vaede, Roger (Contractor)
Roger.Vaede at fincen.gov
Wed Oct 30 19:40:16 UTC 2013
The certificate that I tried to install was a self signed certificate.
Here is the contents of the file: /var/log/ipaserver-install.log
2013-10-21 11:42:44,031 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2013-10-21 11:42:44,032 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2013-10-21 11:42:44,032 DEBUG httpd is configured
2013-10-21 11:42:44,032 DEBUG ipa_kpasswd is configured
2013-10-21 11:42:44,032 DEBUG dirsrv is configured
2013-10-21 11:42:44,033 DEBUG pki-cad is configured
2013-10-21 11:42:44,033 DEBUG pkids is configured
2013-10-21 11:42:44,033 DEBUG install is configured
2013-10-21 11:42:44,033 DEBUG krb5kdc is configured
2013-10-21 11:42:44,033 DEBUG ntpd is not configured
2013-10-21 11:42:44,033 DEBUG named is not configured
2013-10-21 11:42:44,033 DEBUG filestore has files
The (good) backup server here is the contents of the certificate:
[root at xxxxx ~]# ipa-getcert list
Number of certificates and requests being tracked: 2.
Request ID '20111020180721':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xxx ',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-xxx//pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xx',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xxxxxx.xxx
subject: CN=xxxxxxx.xxxxxx.xxx,O=xxxxxxx.xx
expires: 2015-09-23 17:46:26 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
command:
track: yes
auto-renew: yes
Request ID '20111020180816':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xxxxxx.xxx
subject: CN=xxxxxx.xxxx.xxx,O=xxxxxxx.xxx
expires: 2015-09-23 17:46:26 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
command:
track: yes
auto-renew: yes
regards
Roger
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Wednesday, October 30, 2013 3:29 PM
To: Vaede, Roger (Contractor); 'freeipa-devel at redhat.com'
Subject: Re: [Freeipa-devel] certificate renewal
Vaede, Roger (Contractor) wrote:
> I did try to replace the certificate with a self signed one at one point but then I was getting an error saying the certificate wasn't valid.
Ok, I need to get a better handle on how this was originally installed in order to guide you. Can you look to see if /var/log/ipaserver-install.log still exists? It should have the original arguments passed.
What I need to know is if this was installed using a dogtag CA or if it was installed as a selfsign server.
rob
>
> Regards
> Roger
>
> -----Original Message-----
> From: Vaede, Roger (Contractor)
> Sent: Wednesday, October 30, 2013 2:37 PM
> To: 'Rob Crittenden'; 'freeipa-devel at redhat.com'
> Subject: RE: [Freeipa-devel] certificate renewal
>
> I never installed freeipa, the person that installed it left the company.
> I removed the request ID at one point by using the stop-tracking command then I used this command to reinstate them:
> ipa-getcert start-tracking -d /var/lib/pki-ca/alias -n ServerCert -r
>
> Initially they expired around October 25th.
>
> Regards
> Roger
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Wednesday, October 30, 2013 2:30 PM
> To: Vaede, Roger (Contractor); 'freeipa-devel at redhat.com'
> Subject: Re: [Freeipa-devel] certificate renewal
>
> Vaede, Roger (Contractor) wrote:
>> I have two IPA servers, one primary and one is backup. (Redhat 5)
>
> What version of ipa-server is this?
>
>> The primary servers certificate has expired.
>>
>> I am not able to renew it.
>>
>> I turned off the ssl on the clients and now the users can login.
>>
>> I did a lot of research on certificate renewal and I am lost at this point.
>>
>> I am able to make changes using the backup IPA server.
>
> This getcert output is quite strange. Did you start these tracking yourself?
>
> Did you replace the IPA CA certificate at some point?
>
> rob
>
>
More information about the Freeipa-devel
mailing list