<html><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:13px"><div id="yui_3_16_0_1_1426090056974_4812"><span></span></div><div id="yui_3_16_0_1_1426090056974_4818" style="font-family: bookman old style, new york, times, serif; font-size: 13px;"><div id="yui_3_16_0_1_1426090056974_4817" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"><div id="yui_3_16_0_1_1426090056974_4820" class="y_msg_container"><div id="yiv2229194538"><style>#yiv2229194538 #yiv2229194538 --
 
 _filtered #yiv2229194538 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;}
 _filtered #yiv2229194538 {panose-1:2 4 5 3 5 4 6 3 2 4;}
 _filtered #yiv2229194538 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}
 _filtered #yiv2229194538 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}
 _filtered #yiv2229194538 {font-family:Consolas;panose-1:2 11 6 9 2 2 4 3 2 4;}
 _filtered #yiv2229194538 {panose-1:2 5 6 4 5 5 5 2 2 4;}
 _filtered #yiv2229194538 {font-family:Menlo;panose-1:0 0 0 0 0 0 0 0 0 0;}
#yiv2229194538  
#yiv2229194538 p.yiv2229194538MsoNormal, #yiv2229194538 li.yiv2229194538MsoNormal, #yiv2229194538 div.yiv2229194538MsoNormal
        {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}
#yiv2229194538 a:link, #yiv2229194538 span.yiv2229194538MsoHyperlink
        {color:blue;text-decoration:underline;}
#yiv2229194538 a:visited, #yiv2229194538 span.yiv2229194538MsoHyperlinkFollowed
        {color:purple;text-decoration:underline;}
#yiv2229194538 pre
        {margin:0in;margin-bottom:.0001pt;font-size:10.0pt;}
#yiv2229194538 p.yiv2229194538MsoAcetate, #yiv2229194538 li.yiv2229194538MsoAcetate, #yiv2229194538 div.yiv2229194538MsoAcetate
        {margin:0in;margin-bottom:.0001pt;font-size:8.0pt;}
#yiv2229194538 span.yiv2229194538HTMLPreformattedChar
        {font-family:Consolas;}
#yiv2229194538 p.yiv2229194538msonormal, #yiv2229194538 li.yiv2229194538msonormal, #yiv2229194538 div.yiv2229194538msonormal
        {margin-right:0in;margin-left:0in;font-size:12.0pt;}
#yiv2229194538 p.yiv2229194538msochpdefault, #yiv2229194538 li.yiv2229194538msochpdefault, #yiv2229194538 div.yiv2229194538msochpdefault
        {margin-right:0in;margin-left:0in;font-size:12.0pt;}
#yiv2229194538 span.yiv2229194538msohyperlink
        {}
#yiv2229194538 span.yiv2229194538msohyperlinkfollowed
        {}
#yiv2229194538 span.yiv2229194538htmlpreformattedchar
        {}
#yiv2229194538 span.yiv2229194538emailstyle19
        {}
#yiv2229194538 p.yiv2229194538msonormal1, #yiv2229194538 li.yiv2229194538msonormal1, #yiv2229194538 div.yiv2229194538msonormal1
        {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;color:black;}
#yiv2229194538 span.yiv2229194538msohyperlink1
        {color:blue;text-decoration:underline;}
#yiv2229194538 span.yiv2229194538msohyperlinkfollowed1
        {color:purple;text-decoration:underline;}
#yiv2229194538 span.yiv2229194538htmlpreformattedchar1
        {color:black;}
#yiv2229194538 span.yiv2229194538emailstyle191
        {color:#1F497D;}
#yiv2229194538 p.yiv2229194538msochpdefault1, #yiv2229194538 li.yiv2229194538msochpdefault1, #yiv2229194538 div.yiv2229194538msochpdefault1
        {margin-right:0in;margin-left:0in;font-size:10.0pt;}
#yiv2229194538 span.yiv2229194538BalloonTextChar
        {}
#yiv2229194538 span.yiv2229194538EmailStyle33
        {color:#1F497D;}
#yiv2229194538 .yiv2229194538MsoChpDefault
        {font-size:10.0pt;}
 _filtered #yiv2229194538 {margin:1.0in 1.0in 1.0in 1.0in;}
#yiv2229194538 div.yiv2229194538WordSection1
        {}
#yiv2229194538 </style><div id="yui_3_16_0_1_1426090056974_4826"><div id="yui_3_16_0_1_1426090056974_4825" class="yiv2229194538WordSection1"><div id="yui_3_16_0_1_1426090056974_4829" class="yiv2229194538MsoNormal"><span style="font-size:11.0pt;"> </span></div><div id="yui_3_16_0_1_1426090056974_4828" class="yiv2229194538MsoNormal"><span style="font-size:11.0pt;">  </span></div><div id="yui_3_16_0_1_1426090056974_4824"><div id="yui_3_16_0_1_1426090056974_4823" style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;"><div class="qtdSeparateBR"><br><br></div><div class="yiv2229194538yqt4145118758" id="yiv2229194538yqtfd68317"><div id="yui_3_16_0_1_1426090056974_4822" class="yiv2229194538MsoNormal"><b id="yui_3_16_0_1_1426090056974_4946"><span style="font-size:10.0pt;"><br></span></b><span id="yui_3_16_0_1_1426090056974_4827" style="font-size:10.0pt;"></span></div></div></div></div><div class="yiv2229194538yqt4145118758" id="yiv2229194538yqtfd22715"><div id="yui_3_16_0_1_1426090056974_4947" class="yiv2229194538MsoNormal">This issue has now gotten much worse and we are unable to enroll clients. We are getting an error saying the server does not have a cert:</div><div id="yui_3_16_0_1_1426090056974_5138" class="yiv2229194538MsoNormal"><br></div><div dir="ltr" id="yui_3_16_0_1_1426090056974_5087" class="yiv2229194538MsoNormal">Do you want download the CA cert from http://ipa1.example.com/ipa/config/ca.crt ?<br style="" class="">(this is INSECURE) [no]: yes<br style="" class="">Cannot obtain CA certificate<br style="" class="">'http://ipa1.example.com/ipa/config/ca.crt' doesn't have a certificate.</div><div id="yui_3_16_0_1_1426090056974_5139" dir="ltr" class="yiv2229194538MsoNormal"><br></div><div id="yui_3_16_0_1_1426090056974_5155" dir="ltr" class="yiv2229194538MsoNormal">Can we somehow replace our certs and revert back to the original one's issue by the dogtag server so we have a standard configuration or is there a clean way to fix this issue?</div><div dir="ltr" class="yiv2229194538MsoNormal"><br></div><div dir="ltr" class="yiv2229194538MsoNormal">Thank you<br></div><div id="yui_3_16_0_1_1426090056974_5102" class="yiv2229194538MsoNormal"><br></div><div id="yui_3_16_0_1_1426090056974_5101" class="yiv2229194538MsoNormal"><br></div><div id="yui_3_16_0_1_1426090056974_5098" class="yiv2229194538MsoNormal"><br></div><div id="yui_3_16_0_1_1426090056974_4948"><div id="yiv2229194538"><div id="yiv2229194538yqtfd60042"><div id="yiv2229194538yui_3_16_0_1_1426006312851_5046"><div id="yiv2229194538yui_3_16_0_1_1426006312851_5045"><div id="yui_3_16_0_1_1426090056974_4967" class="yiv2229194538MsoNormal" style="background:white;"><span id="yui_3_16_0_1_1426090056974_4968" style="font-size:10.0pt;">I was told the GoDaddy certs were just imported using certutil -a but in looking at the certs the original certs were actually replaced. This is only in /etc/dirsrv/slapd-REALM-COM:</span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5045"><div id="yui_3_16_0_1_1426090056974_4969" class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5045"><div id="yiv2229194538yui_3_16_0_1_1426006312851_5810"><div id="yui_3_16_0_1_1426090056974_5007" class="yiv2229194538MsoNormal" style="background:white;"><span id="yui_3_16_0_1_1426090056974_5008" style="font-size:8.5pt;">Certificate Nickname                                         Trust Attributes</span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5811"><div id="yui_3_16_0_1_1426090056974_5005" class="yiv2229194538MsoNormal" style="background:white;"><span id="yui_3_16_0_1_1426090056974_5006" style="font-size:8.5pt;">                                                             SSL,S/MIME,JAR/XPI</span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5812"><div id="yui_3_16_0_1_1426090056974_5004" class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:8.5pt;">  </span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5813"><div id="yui_3_16_0_1_1426090056974_4970" class="yiv2229194538MsoNormal" style="background:white;"><span id="yui_3_16_0_1_1426090056974_5003" style="font-size:8.5pt;">GD_CA                                                        CT,C,C</span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5821"><div id="yui_3_16_0_1_1426090056974_5002" class="yiv2229194538MsoNormal" style="background:white;"><span id="yui_3_16_0_1_1426090056974_5001" style="font-size:8.5pt;">NWF_GD                                                       u,u,u</span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5821"><div id="yui_3_16_0_1_1426090056974_5000" class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:8.5pt;">  </span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5821"><div id="yui_3_16_0_1_1426090056974_4999" class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:8.5pt;">  </span></div></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5045"><div id="yui_3_16_0_1_1426090056974_4971" class="yiv2229194538MsoNormal" style="background:white;"><span id="yui_3_16_0_1_1426090056974_4998" style="font-size:10.0pt;">The certs in /etc/dirsrv/slapd-PKI-CA are still the originals:</span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5045"><div class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5045"><div id="yiv2229194538yui_3_16_0_1_1426006312851_5903"><div id="yui_3_16_0_1_1426090056974_4996" class="yiv2229194538MsoNormal" style="background:white;"><span id="yui_3_16_0_1_1426090056974_4997" style="font-size:8.5pt;">[root@ipa2-corp ~]# certutil -L -d /etc/dirsrv/slapd-PKI-IPA/</span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5904"><div id="yui_3_16_0_1_1426090056974_4972" class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:8.5pt;">  </span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5905"><div id="yui_3_16_0_1_1426090056974_4973" class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:8.5pt;">Certificate Nickname                                         Trust Attributes</span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5906"><div id="yui_3_16_0_1_1426090056974_4974" class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:8.5pt;">                                                             SSL,S/MIME,JAR/XPI</span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5907"><div id="yui_3_16_0_1_1426090056974_5030" class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:8.5pt;">  </span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5908"><div id="yui_3_16_0_1_1426090056974_4975" class="yiv2229194538MsoNormal" style="background:white;"><span id="yui_3_16_0_1_1426090056974_5031" style="font-size:8.5pt;">IPADOMAIN.COM IPA CA                                      CT,C,</span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5939"><div id="yui_3_16_0_1_1426090056974_4976" class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:8.5pt;">Server-Cert                                                  u,u,u</span></div></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5045"><div class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:10.0pt;">  </span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_5045"><div class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:10.0pt;"> I am not even sure how this even works or if it can be fixed? Should/Can we go back to using the original dogtag certs?</span></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_2854"><div id="yiv2229194538yui_3_16_0_1_1426006312851_2853"><div id="yiv2229194538yui_3_16_0_1_1426006312851_2852"><div class="yiv2229194538MsoNormal" style="text-align:center;background:white;" align="center"><span style=""></span><hr align="center" size="1" width="100%"></div><div class="yiv2229194538MsoNormal" style="background:white;"><span style="">  </span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_2858"><div id="yiv2229194538"><div id="yiv2229194538yui_3_16_0_1_1426006312851_2860"><div id="yiv2229194538yui_3_16_0_1_1426006312851_2859"><div id="yiv2229194538yui_3_16_0_1_1426006130753_3288"><div id="yiv2229194538yui_3_16_0_1_1426006130753_3287"><div id="yiv2229194538yui_3_16_0_1_1426006130753_3286"><div id="yiv2229194538"><div id="yiv2229194538yui_3_16_0_1_1426006130753_3285"><div id="yiv2229194538yui_3_16_0_1_1426006130753_3284"><div id="yiv2229194538yui_3_16_0_1_1426006312851_2866"><div id="yiv2229194538yui_3_16_0_1_1426006312851_2865" style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;"><div id="yiv2229194538yui_3_16_0_1_1426006312851_2872"><div class="yiv2229194538MsoNormal" style="background:white;"><b><span style="font-size:10.0pt;">From:</span></b><span style="font-size:10.0pt;"> <a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users-bounces@redhat.com" target="_blank" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> [<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users-bounces@redhat.com" target="_blank" href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>] <b>On Behalf Of </b>Dmitri Pal<br clear="none"><b id="yiv2229194538yui_3_16_0_1_1426006312851_5855">Sent:</b> Wednesday, March 04, 2015 2:57 PM<br clear="none"><b id="yiv2229194538yui_3_16_0_1_1426006312851_5853">To:</b> <a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br clear="none"><b>Subject:</b> Re: [Freeipa-users] Need to replace cert for ipa servers</span><span style=""></span></div></div></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_2871"><div class="yiv2229194538MsoNormal" style="background:white;"><span style=""> </span></div></div><div id="yiv2229194538yui_3_16_0_1_1426006312851_2870"><div id="yiv2229194538yui_3_16_0_1_1426006312851_2869"><div class="yiv2229194538MsoNormal" style="background:white;"><span style="">On 03/04/2015 04:32 PM, sipazzo wrote:</span></div></div></div><blockquote id="yiv2229194538yui_3_16_0_1_1426006130753_3283" style="margin-top:5.0pt;margin-bottom:5.0pt;"><div id="yiv2229194538yui_3_16_0_1_1426006130753_3282"><div id="yiv2229194538yui_3_16_0_1_1425499626880_29483"><div id="yiv2229194538yui_3_16_0_1_1426006130753_3281"><div class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Good afternoon, we have a freeipa 3.0.42 installation running on redhead 6.6 with a mix of rhel 5, rhel6 and Solaris clients. It was originally configured with the built in dogtag certificate CA and then one of my co-workers added our GoDaddy certificate to the certificate bundle. My understanding is this cert is used for communication between the ipa servers as well as the clients are also configured to trust the GoDaddy certificate. We recently had to get a new GoDaddy cert so our old one is revoked. I need to figure out how to either replace the existing revoked cert with the new one or add the new one to the bundle and then remove the revoked certificate so as not to break anything.</span><span style=""></span></div></div></div><div id="yiv2229194538yui_3_16_0_1_1425499626880_29483"><div id="yiv2229194538yui_3_16_0_1_1426006130753_3289"><div class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:10.0pt;"> </span><span style=""></span></div></div></div><div id="yiv2229194538yui_3_16_0_1_1425499626880_29483"><div id="yiv2229194538yui_3_16_0_1_1426006312851_2868"><div class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Any help is appreciated. I am not strong with certificates so the more detail you can give the better.</span><span style=""></span></div></div></div><div id="yiv2229194538yui_3_16_0_1_1425499626880_29483"><div><div class="yiv2229194538MsoNormal" style="background:white;"><span style="font-size:10.0pt;">Thank you.</span><span style=""></span></div></div></div></div><div><div class="yiv2229194538MsoNormal" style="margin-bottom:12.0pt;background:white;"><span style="">  </span></div></div></blockquote><div id="yiv2229194538yui_3_16_0_1_1426006130753_3290"><div class="yiv2229194538MsoNormal" style="margin-bottom:12.0pt;background:white;"><span style="">You say it was running with the self signed IPA CA and than GoDaddy cert was added to the bundle. How was it added?<br clear="none">IPA does not use certs for communication between the instances. It uses Kerberos. I am not sure the DoDaddy cert you added is even used in some way by IPA.<br clear="none">It seems that your GoDaddy cert is an orthogonal trust so if you replaced the main key pair then you just need to distribute your new GoDaddy cert to the clients as you did on the first place.<br clear="none"><br clear="none"><br clear="none"></span></div></div><pre style="background:white;"><span style="color:black;">-- </span></pre><pre style="background:white;"><span style="color:black;">Thank you,</span></pre><pre style="background:white;"><span style="color:black;">Dmitri Pal</span></pre><pre id="yiv2229194538yui_3_16_0_1_1426006130753_3291" style="background:white;"><span style="color:black;">  </span></pre><pre style="background:white;"><span style="color:black;">Sr. Engineering Manager IdM portfolio</span></pre><pre style="background:white;"><span style="color:black;">Red Hat, Inc.</span></pre></div></div></div><div class="yiv2229194538MsoNormal" style="margin-bottom:12.0pt;background:white;"><span style="">  </span></div></div></div></div></div></div></div><div class="yiv2229194538MsoNormal" style="margin-bottom:12.0pt;background:white;"><span style="">  </span></div></div></div></div></div></div></div></div></div></div></div></div></div><br><br></div> </div> </div>  </div></body></html>