[Freeipa-devel] certificate renewal

Vaede, Roger (Contractor) Roger.Vaede at fincen.gov
Wed Oct 30 19:40:16 UTC 2013 

The certificate that I tried to install was a self signed certificate.
Here is the contents of the file:  /var/log/ipaserver-install.log

2013-10-21 11:42:44,031 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2013-10-21 11:42:44,032 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2013-10-21 11:42:44,032 DEBUG httpd is configured
2013-10-21 11:42:44,032 DEBUG ipa_kpasswd is configured
2013-10-21 11:42:44,032 DEBUG dirsrv is configured
2013-10-21 11:42:44,033 DEBUG pki-cad is configured
2013-10-21 11:42:44,033 DEBUG pkids is configured
2013-10-21 11:42:44,033 DEBUG install is configured
2013-10-21 11:42:44,033 DEBUG krb5kdc is configured
2013-10-21 11:42:44,033 DEBUG ntpd is not configured
2013-10-21 11:42:44,033 DEBUG named is not configured
2013-10-21 11:42:44,033 DEBUG filestore has files


The (good) backup server here is the contents of the certificate:

[root at xxxxx ~]# ipa-getcert list
Number of certificates and requests being tracked: 2.
Request ID '20111020180721':
        status: MONITORING
        stuck: no
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xxx ',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-xxx//pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xx',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=xxxxxx.xxx
        subject: CN=xxxxxxx.xxxxxx.xxx,O=xxxxxxx.xx
        expires: 2015-09-23 17:46:26 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        command:
        track: yes
        auto-renew: yes
Request ID '20111020180816':
        status: MONITORING
        stuck: no
        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=xxxxxx.xxx
        subject: CN=xxxxxx.xxxx.xxx,O=xxxxxxx.xxx
        expires: 2015-09-23 17:46:26 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        command:
        track: yes
        auto-renew: yes

regards
Roger



-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Wednesday, October 30, 2013 3:29 PM
To: Vaede, Roger (Contractor); 'freeipa-devel at redhat.com'
Subject: Re: [Freeipa-devel] certificate renewal

Vaede, Roger (Contractor) wrote:
> I did try to replace the certificate with a self signed one at one point but then I was getting an error saying the certificate wasn't valid.

Ok, I need to get a better handle on how this was originally installed in order to guide you. Can you look to see if /var/log/ipaserver-install.log still exists? It should have the original arguments passed.

What I need to know is if this was installed using a dogtag CA or if it was installed as a selfsign server.

rob

>
> Regards
> Roger
>
> -----Original Message-----
> From: Vaede, Roger (Contractor)
> Sent: Wednesday, October 30, 2013 2:37 PM
> To: 'Rob Crittenden'; 'freeipa-devel at redhat.com'
> Subject: RE: [Freeipa-devel] certificate renewal
>
> I never installed freeipa, the person that installed it left the company.
> I removed the request ID at one point by using the stop-tracking command then I used this command to reinstate them:
> ipa-getcert start-tracking  -d  /var/lib/pki-ca/alias -n ServerCert -r
>
> Initially they expired around October 25th.
>
> Regards
> Roger
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Wednesday, October 30, 2013 2:30 PM
> To: Vaede, Roger (Contractor); 'freeipa-devel at redhat.com'
> Subject: Re: [Freeipa-devel] certificate renewal
>
> Vaede, Roger (Contractor) wrote:
>> I have two IPA servers, one primary and one is backup.  (Redhat 5)
>
> What version of ipa-server is this?
>
>> The primary servers certificate has expired.
>>
>> I am not able to renew it.
>>
>> I turned off the ssl on the clients and now the users can login.
>>
>> I did a lot of research on certificate renewal and I am lost at this point.
>>
>> I am able to make changes using the backup IPA server.
>
> This getcert output is quite strange. Did you start these tracking yourself?
>
> Did you replace the IPA CA certificate at some point?
>
> rob
>
>

More information about the Freeipa-devel mailing list