[Freeipa-users] FreeIPA webserver cert expired.

Paul Tader ptader at linuxscope.com
Tue Jun 5 18:18:37 UTC 2012 

A couple days ago my (apache) certificates expired.  Users are able to 
kinit but tools such as sudo fail because of the expired certificates. 
Lots of reading/Google'ing later I found this script (steps) to renew 
these certs:

I'd rather run the commands one at a time, but my question is am I on 
the right track?  Will this work? Other suggestions?

I know I'll probably have to reset the date on the server back a couple 
days and get a new ticket to make this work.


--- From: http://adam.younglogic.com/2011/08/httpd-cert/ ----

CSR=`mktemp`
PRINCIPAL=HTTP/`hostname`
CERT=`mktemp`

certutil -R -s "CN=$HOSTNAME" -d /etc/httpd/alias/ -f 
/etc/httpd/alias/pwdfile.txt  -g 1024 -a > $CSR
ipa cert-request $CSR --principal=$PRINCIPAL
ipa service-show $PRINCIPAL --out $CERT
certutil -A -d /etc/httpd/alias/  -n "Server-Cert"  -t "u,u,u" -a  -f 
/etc/httpd/alias/pwdfile.txt -i $CERT
---


$ sudo -l
sudo: ldap_start_tls_s(): Connect error
sudo: no valid sudoers sources found, quitting

---

[root at srv01 ~]# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110706215109':
	status: SUBMITTING
	stuck: no
	key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-MYREALM',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-MYREALM//pwdfile.txt'
	certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-REALM',nickname='Server-Cert',token='NSS 
Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=MYREALM
	subject: CN=srv01.company.net,O=MYREALM.NET
	expires: 2012-06-03 20:19:49 UTC
	eku: id-kp-serverAuth
	track: yes
	auto-renew: yes
Request ID '20110706215129':
	status: SUBMITTING
	stuck: no
	key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
	certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=MYREALM.NET
	subject: CN=srv01.company.net,O=MYREALM.NET
	expires: 2012-06-03 20:19:49 UTC
	eku: id-kp-serverAuth
	track: yes
	auto-renew: yes
Request ID '20110706215145':
	status: SUBMITTING
	stuck: no
	key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=MYREALM.NET
	subject: CN=srv01.company.net,O=MYREALM.NET
	expires: 2012-06-03 20:19:49 UTC
	eku: id-kp-serverAuth
	track: yes
	auto-renew: yes

---

[root at srv01 ~]# tail -1 /var/log/httpd/error_log
[Tue Jun 05 13:11:06 2012] [error] SSL Library Error: -12269 The server 
has rejected your certificate as expired

More information about the Freeipa-users mailing list