<div dir="ltr"><div><div><div>Sorry it took me so long to try this and get back to you. I tried modifying that Python script and running it, and this is what I get:<br><br>Initializing API<br>Setting up NSS databases<br>Untracking existing Apache Server-Cert<br>Issuing new cert<br>Tracking Server-Cert<br>ipa: ERROR: certmonger failed starting to track certificate: Nickname "Server-Cert" doesn't exist in NSS database "/etc/httpd/alias"<br><br></div>I checked and it's right. The output of certutil -L -d /etc/httpd/alias is... confusing, actually. So I got the above output. Then I realized my Kerberos ticket was expired and I ought to get a new one. When I did so, I retried the command and got the exact same output. However, this time certutil's output is different:<br><br># certutil -L -d /etc/httpd/alias<br><br>Certificate Nickname Trust Attributes<br> SSL,S/MIME,JAR/XPI<br><br>puppetmaster/hostname u,u,u<br>REALMNAME IPA CA CT,C,C<br>ipaCert u,u,u<br>Signing-Cert u,u,u<br>puppetmaster/hostname u,u,u<br><br></div>The puppetmaster/hostname entry is in there twice. The first attempt at newcert.py is still in my scroll buffer: the puppetmaster entry definitely only appears once until after this most recent run. I'm starting to wonder if my attempts to create that puppetmaster cert somehow screwed up the database.<br></div><div><div><div><br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 23, 2014 at 4:05 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Eric McCoy wrote:<br>
> Some nicknames changed to protect the innocent. The<br>
> puppetmaster/hostname cert is nominally unrelated, though its creation<br>
> was contemporaneous with the disappearance of server-cert so I can't<br>
> entirely rule it out.<br>
><br>
> Certificate Nickname Trust<br>
> Attributes<br>
><br>
> SSL,S/MIME,JAR/XPI<br>
><br>
> puppetmaster/hostname u,u,u<br>
> REALMNAME IPA CA CT,C,C<br>
> ipaCert u,u,u<br>
> Signing-Cert u,u,u<br>
<br>
</span>Ok, this is good. If we have ipaCert we can get a cert directly from the<br>
CA like we do during installation.<br>
<br>
The attached python script should fix things up for you.<br>
<br>
Save it, modify it and replace subjectbase with what matches your<br>
environment. You can get the base from an existing cert with:<br>
<br>
# certutil -L -d /etc/dirsrv/slapd-REALM -n Server-Cert |grep Subject<br>
<br>
Unless you changed it during installation it should be O=<REALM><br>
<br>
Then just run the script:<br>
<br>
# python newcert.py<br>
Initializing API<br>
Setting up NSS databases<br>
Untracking existing Apache Server-Cert<br>
Issuing new cert<br>
Tracking Server-Cert<br>
<br>
# service httpd start<br>
<br>
The only thing this script doesn't do is put this updated certificate in<br>
the service record's LDAP entry.<br>
<span class="HOEnZb"><font color="#888888"><br>
rob<br>
</font></span><span class="im HOEnZb"><br>
><br>
><br>
> On Thu, Oct 23, 2014 at 12:53 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
</span><div class="HOEnZb"><div class="h5">> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote:<br>
><br>
> Eric McCoy wrote:<br>
> > Hi all,<br>
> ><br>
> > I somehow destroyed my primary IPA server's Server-Cert in<br>
> > /etc/httpd/alias. I don't understand how or why it happened, all<br>
> I know<br>
> > is that I went to restart Apache and it was gone. Apache won't start,<br>
> > of course, because the cert is missing. I can't issue a new cert<br>
> on the<br>
> > primary because Apache is down. I tried using the secondary, but it<br>
> > fails saying that it can't connect to the web server on the primary<br>
> > (it's the same error message I get when I try to issue a cert from the<br>
> > primary). I can't figure out how to tell ipa-getcert et al. to<br>
> talk to<br>
> > the secondary and not the primary. I'm not using DNS for service<br>
> > discovery, so I'm not sure how the various tools figure out where<br>
> things<br>
> > are.<br>
> ><br>
> > This is all on CentOS 6.5 with IPA 3.0.0-37.<br>
> ><br>
> ><br>
><br>
> What certs do you have in the database?<br>
><br>
> # certutil -L -d /etc/httpd/alias<br>
><br>
> rob<br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>