[Freeipa-users] FreeIPA webserver cert expired.
Paul Tader
ptader at linuxscope.com
Tue Jun 5 18:18:37 UTC 2012
A couple days ago my (apache) certificates expired. Users are able to
kinit but tools such as sudo fail because of the expired certificates.
Lots of reading/Google'ing later I found this script (steps) to renew
these certs:
I'd rather run the commands one at a time, but my question is am I on
the right track? Will this work? Other suggestions?
I know I'll probably have to reset the date on the server back a couple
days and get a new ticket to make this work.
--- From: http://adam.younglogic.com/2011/08/httpd-cert/ ----
CSR=`mktemp`
PRINCIPAL=HTTP/`hostname`
CERT=`mktemp`
certutil -R -s "CN=$HOSTNAME" -d /etc/httpd/alias/ -f
/etc/httpd/alias/pwdfile.txt -g 1024 -a > $CSR
ipa cert-request $CSR --principal=$PRINCIPAL
ipa service-show $PRINCIPAL --out $CERT
certutil -A -d /etc/httpd/alias/ -n "Server-Cert" -t "u,u,u" -a -f
/etc/httpd/alias/pwdfile.txt -i $CERT
---
$ sudo -l
sudo: ldap_start_tls_s(): Connect error
sudo: no valid sudoers sources found, quitting
---
[root at srv01 ~]# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110706215109':
status: SUBMITTING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-MYREALM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-MYREALM//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-REALM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYREALM
subject: CN=srv01.company.net,O=MYREALM.NET
expires: 2012-06-03 20:19:49 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110706215129':
status: SUBMITTING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYREALM.NET
subject: CN=srv01.company.net,O=MYREALM.NET
expires: 2012-06-03 20:19:49 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110706215145':
status: SUBMITTING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYREALM.NET
subject: CN=srv01.company.net,O=MYREALM.NET
expires: 2012-06-03 20:19:49 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
---
[root at srv01 ~]# tail -1 /var/log/httpd/error_log
[Tue Jun 05 13:11:06 2012] [error] SSL Library Error: -12269 The server
has rejected your certificate as expired
More information about the Freeipa-users
mailing list