<html><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:13px"><div id="yui_3_16_0_1_1427226340541_6847">Ok I finally was able to get a sandbox environment up to test the cert replacement. When I ran this stepgot to the cert request steps:</div><div dir="ltr" id="yui_3_16_0_1_1427226340541_7195">ipa-getcert request -d /etc/dirsrv/slapd-IPADOMAIN-COM -n Server-Cert -p /etc/dirsrv/slapd-IPADOMAIN-COM/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv IPADOMAIN-COM' -N CN=idm2-corp.ipadomain.com -K ldap/ipa2-corp.ipadomain.com@IPADOMAIN.COM</div><div id="yui_3_16_0_1_1427226340541_7334" dir="ltr"><br></div><div id="yui_3_16_0_1_1427226340541_7199">I got a message saying the cert at same location is already used by request with nickname "20140729215511" , same when I ran it for /etc/httpd/alias. I continued on anyway but when I get to this step:</div><div id="yui_3_16_0_1_1427226340541_7608"><br></div> # certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM<div id="yui_3_16_0_1_1427226340541_6896" dir="ltr"><br></div><div id="yui_3_16_0_1_1427226340541_6928" dir="ltr">I get an error: <br></div><div id="yui_3_16_0_1_1427226340541_6929" dir="ltr">certutil: could not find certificate named "Server-Cert": PR_FILE_NOT_FOUND_ERROR: File not found</div><div id="yui_3_16_0_1_1427226340541_6980" dir="ltr"><br></div><div id="yui_3_16_0_1_1427226340541_6941" dir="ltr">Although running certutil -L -d /etc/dirsrv/slapd-IPADOMAIN-COM/, returns this:<br style="" class=""><br style="" class="">Certificate Nickname                                         Trust Attributes<br style="" class="">                                                             SSL,S/MIME,JAR/XPI<br style="" class=""><br style="" class="">GD_CA                                                        CT,C,C<br style="" class="">IPADOMAIN.COM IPA CA                                      CT,, <br style="" class="">NWF_GD                                                       u,u,u</div><div id="yui_3_16_0_1_1427226340541_7045" dir="ltr"><br></div><div id="yui_3_16_0_1_1427226340541_7148" dir="ltr"><br></div><div id="yui_3_16_0_1_1427226340541_7149" dir="ltr">Showing that the IPA Dogtag cert is now listed whereas it was not previously. </div><div id="yui_3_16_0_1_1427226340541_7654" dir="ltr"><br></div><div id="yui_3_16_0_1_1427226340541_7723" dir="ltr"><br></div><div id="yui_3_16_0_1_1427226340541_6799" style="font-family: bookman old style, new york, times, serif; font-size: 13px;"> <div id="yui_3_16_0_1_1427226340541_6798" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1427226340541_6797" dir="ltr"> <hr id="yui_3_16_0_1_1427226340541_6796" size="1">  <font id="yui_3_16_0_1_1427226340541_6930" face="Arial" size="2"> <b id="yui_3_16_0_1_1427226340541_7858"><span id="yui_3_16_0_1_1427226340541_7857" style="font-weight:bold;">From:</span></b> sipazzo <sipazzo@yahoo.com><br> <b><span style="font-weight: bold;">To:</span></b> Rob Crittenden <rcritten@redhat.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, March 13, 2015 1:32 PM<br> <b id="yui_3_16_0_1_1427226340541_7860"><span id="yui_3_16_0_1_1427226340541_7859" style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] Fw:  Need to replace cert for ipa servers<br> </font> </div> <div id="yui_3_16_0_1_1427226340541_6806" class="y_msg_container"><br><div id="yiv1746717122"><div id="yui_3_16_0_1_1427226340541_6805"><div id="yui_3_16_0_1_1427226340541_6804" style="color:#000;background-color:#fff;font-family:bookman old style, new york, times, serif;font-size:13px;"><div id="yiv1746717122yui_3_16_0_1_1426263616540_14519"><span></span></div><div dir="ltr" id="yiv1746717122yui_3_16_0_1_1426263616540_14985">This environment is over 350 servers, many of which are in production so I may have to wait a bit for change management approval to attempt to resolve this issue, particularly if you think it might break something.  I will keep you updated on my progress. Thank you much.<br clear="none"></div><div id="yiv1746717122yui_3_16_0_1_1426263616540_15063">  <br clear="none"></div><div class="qtdSeparateBR"><br><br></div><div class="yiv1746717122yqt6007192869" id="yiv1746717122yqt08748"><div id="yiv1746717122yui_3_16_0_1_1426263616540_14328" style="font-family:bookman old style, new york, times, serif;font-size:13px;"> <div id="yiv1746717122yui_3_16_0_1_1426263616540_14327" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr" id="yiv1746717122yui_3_16_0_1_1426263616540_14326"> <hr id="yiv1746717122yui_3_16_0_1_1426263616540_14521" size="1">  <font id="yiv1746717122yui_3_16_0_1_1426263616540_14522" face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> sipazzo <sipazzo@yahoo.com><br clear="none"> <b><span style="font-weight:bold;">To:</span></b> Rob Crittenden <rcritten@redhat.com> <br clear="none"><b><span style="font-weight:bold;">Cc:</span></b> "freeipa-users@redhat.com" <freeipa-users@redhat.com> <br clear="none"> <b id="yiv1746717122yui_3_16_0_1_1426263616540_15429"><span id="yiv1746717122yui_3_16_0_1_1426263616540_15428" style="font-weight:bold;">Sent:</span></b> Friday, March 13, 2015 9:21 AM<br clear="none"> <b><span style="font-weight:bold;">Subject:</span></b> Re: [Freeipa-users] Fw:  Need to replace cert for ipa servers<br clear="none"> </font> </div> <div class="yiv1746717122y_msg_container" id="yiv1746717122yui_3_16_0_1_1426263616540_14523"><br clear="none"><div id="yiv1746717122"><div class="yiv1746717122qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv1746717122yqt3442663895" id="yiv1746717122yqtfd59757"><div id="yiv1746717122yui_3_16_0_1_1426263616540_14525"><div id="yiv1746717122yui_3_16_0_1_1426263616540_14524" style="color:#000;background-color:#fff;font-family:bookman old style, new york, times, serif;font-size:13px;"><div id="yiv1746717122yui_3_16_0_1_1426263616540_2718"><span></span></div><br clear="none"><div id="yiv1746717122yui_3_16_0_1_1426263616540_2721" style="font-family:bookman old style, new york, times, serif;font-size:13px;"><div id="yiv1746717122yui_3_16_0_1_1426263616540_2720" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"><div class="yiv1746717122y_msg_container" id="yiv1746717122yui_3_16_0_1_1426263616540_2723"><br clear="none">-----Original Message-----<br clear="none">From: <a rel="nofollow" shape="rect" id="yiv1746717122yui_3_16_0_1_1426263616540_2732" ymailto="mailto:freeipa-users-bounces@redhat.com" target="_blank" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> [mailto:<a rel="nofollow" shape="rect" id="yiv1746717122yui_3_16_0_1_1426263616540_14531" ymailto="mailto:freeipa-users-bounces@redhat.com" target="_blank" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] On Behalf Of Rob Crittenden<br clear="none">Sent: Thursday, March 12, 2015 1:52 PM<br clear="none">To: sipazzo; <a rel="nofollow" shape="rect" id="yiv1746717122yui_3_16_0_1_1426263616540_2733" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br clear="none">Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers<br clear="none"><br clear="none">sipazzo wrote:<br clear="none">> I do have other CAs (just not the master but it is available offline <br clear="none">> if<br clear="none">> needed)<br clear="none"><br clear="none">To be clear, all IPA servers are masters, some just run more services than others. It sounds like you have at least one CA available which should be sufficient.<br clear="none"><br clear="none">> Directory server is running<br clear="none">> The apache web server is running and I can get to the gui ipa <br clear="none">> cert-show 1 works<br clear="none"><br clear="none">Ok. I guess the place to start is to get certs for Apache and 389-ds, then we can see about using these new certs.<br clear="none"><br clear="none">In the thread you showed that the IPA 389-ds doesn't have a Server-Cert nickname. You'll want to do the same for /etc/httpd/alias before running the following commands otherwise you could end up with non-functional server.<br clear="none"><br clear="none">These should get IPA certs for 389-ds and Apache. You'll need to edit these commands to match your environment:<br clear="none"><br clear="none"># ipa-getcert request -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd<br clear="none">-N CN=ipa.example.com -K HTTP/<a rel="nofollow" shape="rect" id="yiv1746717122yui_3_16_0_1_1426263616540_14923" ymailto="mailto:ipa.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa.example.com@EXAMPLE.COM">ipa.example.com@EXAMPLE.COM</a><br clear="none"><br clear="none"># ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -p /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM' -N CN=ipa.example.com -K ldap/<a rel="nofollow" shape="rect" id="yiv1746717122yui_3_16_0_1_1426263616540_14922" ymailto="mailto:ipa.example.com@EXAMPLE.COM" target="_blank" href="mailto:ipa.example.com@EXAMPLE.COM">ipa.example.com@EXAMPLE.COM</a><br clear="none"><br clear="none">I'd do them one at a time and wait until the cert is issued and tracked.<br clear="none">This will restart both Apache and 389-ds but it shouldn't affect operation because the certs won't be used yet.<br clear="none"><br clear="none">You then need to get the old CA cert and put it into the right places.<br clear="none">Since it is already in the PKI-IPA NSS database let's fetch it from there. For giggles you should probably save whatever the contents of /etc/ipa/ca.crt are before-hand.<br clear="none"><br clear="none"># certutil -L -d /etc/dirsrv/slapd-PKI-IPA -n 'IPADOMAIN.COM IPA CA' -a<br clear="none">> /etc/ipa/ca.crt<br clear="none"><br clear="none">Now add that to the Apache and 389-ds databases:<br clear="none"><br clear="none"># certutil -A -n 'IPADOMAIN.COM IPA CA' -d /etc/httpd/alias -t CT,C, -a -i /etc/ipa/ca.crt # certutil -A -n 'IPADOMAIN.COM IPA CA' -d /etc/dirsrv/slapd-EXAMPLE-COM -t CT,, -a -i /etc/ipa/ca.crt<br clear="none"><br clear="none">Next add it to /etc/pki/nssdb if it isn't already there:<br clear="none"><br clear="none"># certutil -A -n 'IPA CA' -d /etc/pki/nssdb -t CT,C,C -a -i /etc/ipa/ca.crt<br clear="none"><br clear="none">Next, verify that the newly issued certs are trusted:<br clear="none"><br clear="none"># certutil -V -u V -n Server-Cert -d /etc/httpd/alias # certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM<br clear="none"><br clear="none">Both should return:<br clear="none">certutil: certificate is valid<br clear="none"><br clear="none">Next is to configure the services to use the new certs. I'd stop IPA to do this: ipactl stop<br clear="none"><br clear="none">Edit /etc/httpd/conf.d/nss.conf and change the NSSNickname to Server-Cert<br clear="none"><br clear="none">Edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif and set nsSSLPersonalitySSL to Server-Cert<br clear="none"><br clear="none">Now try to start the world: ipactl start<br clear="none"><br clear="none">Run a few commands:<br clear="none"><br clear="none"># ipa user-show admin<br clear="none"># ipa cert-show 1<br clear="none"><br clear="none">Both should work.<br clear="none"><br clear="none">Assuming all has gone well to this point, copy /etc/ipa/ca.crt to /usr/share/ipa/html/ca.crt<br clear="none"><br clear="none">Finally run: ipa-ldap-updater --upgrade<br clear="none"><br clear="none">This should load the new CA certificate into LDAP.<br clear="none"><br clear="none">This has the potential to break a whole bunch of your clients. It is probably enough to just copy over the new CA cert to the right<br clear="none">location(s) on the clients. The mechanics of this depend on the OS.<br clear="none"><br clear="none">> Are the TLS errors due to the mismatch in certs between slapd-PKI-CA <br clear="none">> and slapd-NETWORKFLEET-COM?<br clear="none"><br clear="none">No, has nothing to do with the CA at all. The client doesn't have (or<br clear="none">trust) the CA that issued the LDAP server cert.<br clear="none"><br clear="none">rob<br clear="none"><br clear="none">> <br clear="none">> <br clear="none">> -----Original Message-----<br clear="none">> <br clear="none">> <br clear="none">> From: <a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users-bounces@redhat.com" target="_blank" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> <br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users-bounces@redhat.com" target="_blank" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>><br clear="none">> [mailto:<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users-bounces@redhat.com" target="_blank" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a><br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users-bounces@redhat.com" target="_blank" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>>] On Behalf Of Rob Crittenden<br clear="none">> Sent: Wednesday, March 11, 2015 7:20 PM<br clear="none">> To: sipazzo; <a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br clear="none">> Subject: Re: [Freeipa-users] Need to replace cert for ipa servers<br clear="none">> <br clear="none">> sipazzo wrote:<br clear="none">>> Thanks Rob, I apologize that error was probably not helpful. This is <br clear="none">>> what I see when running install in debug mode:<br clear="none">>><br clear="none">>> Verifying that ipa2-corp.networkfleet.com (realm EXAMPLE.COM) is an <br clear="none">>> IPA server Init LDAP connection with:<br clear="none">>> ldap://ipa2-corp.networkfleet.com:389<br clear="none">>> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer <br clear="none">>> is not recognized.<br clear="none">>> Verifying that ipa1-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA <br clear="none">>> server Init LDAP connection with: ldap://ipa1-xo.networkfleet.com:389<br clear="none">>> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer <br clear="none">>> is not recognized.<br clear="none">>> Verifying that ipa1-io.networkfleet.com (realm EXAMPLE.COM) is an IPA <br clear="none">>> server Init LDAP connection with: ldap://ipa1-io.networkfleet.com:389<br clear="none">>> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer <br clear="none">>> is not recognized.<br clear="none">>> Verifying that ipa2-io.networkfleet.com (realm EXAMPLE.COM) is an IPA <br clear="none">>> server Init LDAP connection with: ldap://ipa2-io.networkfleet.com:389<br clear="none">>> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer <br clear="none">>> is not recognized.<br clear="none">>> Verifying that ipa2-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA <br clear="none">>> server Init LDAP connection with: ldap://ipa2-xo.networkfleet.com:389<br clear="none">>> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer <br clear="none">>> is not recognized.<br clear="none">>><br clear="none">>> The certificates are very confusing to me. I don't understand how <br clear="none">>> things are working when we have a set of GoDaddy certs in <br clear="none">>> slapd-NETWORKFLEET-COM and a set of the Dogtag certs in slapd-PKI-CA.<br clear="none">>> The cert in /usr/share/ipa/html/ca.crt looks like the original one <br clear="none">>> issued by the Dogtag cert system and matches the ones on the clients.<br clear="none">>> Not to further confuse things but the original master server that <br clear="none">>> signed all these certs was taken offline months ago due to some <br clear="none">>> issues it was having. I do still have access to it if necessary.<br clear="none">>><br clear="none">>> As far as why the godaddy certs were swapped out for the Dogtag certs <br clear="none">>> it was originally for something as simple as the untrusted <br clear="none">>> certificate dialogue when accessing the ipa gui. I did not swap out <br clear="none">>> the certs so am unsure of exactly what happened. There is no real <br clear="none">>> need to use the GoDaddy certs as far as I am concerned. I just want <br clear="none">>> the best solution to the issues I am seeing as I am in kind of a bind <br clear="none">>> with the GoDaddy cert being revoked and needing to be replaced and <br clear="none">>> the master Dogtag certificate server offline. We have a mixed <br clear="none">>> environment with Rhel 5, 6 and Solaris clients so are not using sssd in all cases.<br clear="none">>><br clear="none">>> I know this is asking a lot but appreciate any help you can give.<br clear="none">> <br clear="none">> What is the current state of things? Does your IPA Apache server work?<br clear="none">> Is 389-ds up and running? Do you have a working IPA CA?<br clear="none">> <br clear="none">> Does ipa cert-show 1 work?<br clear="none">> <br clear="none">> If the answer is yes to all then we should be able to generate new <br clear="none">> certs for all the services.<br clear="none">> <br clear="none">> rob<br clear="none">> <br clear="none">> <br clear="none">> --<br clear="none">> Manage your subscription for the Freeipa-users mailing list:<br clear="none">> <a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">> Go to <a rel="nofollow" shape="rect" target="_blank" href="http://freeipa.org/">http://freeipa.org </a><<a rel="nofollow" shape="rect" target="_blank" href="http://freeipa.org/">http://freeipa.org/</a>>for more info on the <br clear="none">> project<br clear="none">> <br clear="none"><br clear="none">--<br clear="none">Manage your subscription for the Freeipa-users mailing list:<br clear="none"><a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">Go to <a rel="nofollow" shape="rect" target="_blank" href="http://freeipa.org/">http://freeipa.org </a>for more info on the project<br clear="none"><br clear="none"></div> </div> </div>  </div></div></div></div><br clear="none"><br clear="none"></div> </div> </div></div>  </div></div></div><br><br></div> </div> </div>  </div></body></html>