[Freeipa-users] IPA server certificate update and "Directory Manager" password
Peter Doherty
doherty at hkl.hms.harvard.edu
Tue Feb 1 17:38:50 UTC 2011
On Jan 20, 2011, at 17:32 , Rob Crittenden wrote:
>
> Yes, that was going to be my next question. While throwing any old
> self-signed cert in there might get the server up other things won't
> work, notably replication.
>
> Ok, here are some steps I worked out that I think will get you back
> in business. I'm going to try to renew your 389-ds certificate using
> IPA.
>
> First we need to get 389-ds back up and running.
>
> I'm going to use REALM in place of the instance name for your 399-ds
> install.
>
> 1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif
> 2. Make a backup of your dirsrv NSS database (so /etc/dirsrv/slapd-
> REALM/*.db)
> 2. Edit dse.ldif and set nsslapd-security to off
> 3. Try starting dirsrv: service start dirsrv REALM
> 4. Get a kerberos ticket for admin: kinit admin
> 5. Generate a new CSR for your directory server:
> certutil -R -k 'NSS Certificate DB:Server-Cert' -s 'cn=nebio-
> directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f /etc/dirsrv/
> slapd-REALM/pwdfile.txt -a > renew.csr
> 6. Get a new certificate:
> ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab >
> 7. Paste the value in the output for Certificate into a file. This
> is a base64-encoded blob of text probably starting with MII and
> ending with ==.
> 8. Add this new cert to your 389-ds database
> certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a <
> cert.txt
> 9. service dirsrv stop REALM
> 10. edit dse.ldif and set nsslapd-security to on
> 11. service dirsrv start REALM
>
> I ran the majority of these steps against my own IPA installation
> and nothing caught on fire. I hope you have equal success.
Rob, any more advice on this?
Step 5 fails, but it works if I remove the "NSS Cert...." part or of I
use "IPA..." something or other that I figured out.
But then step 6 fails, I get a "No Modification Requried" result when
I run the command, and nothing I did could get past that.
If I want to start from scratch with the new Beta release, how would I
dump the entire LDAP/KRB database so that I could import it into a new
server?
The Docs mention doing regular backups, but they don't even tell how
to backup the data, whether to backups files (which ones?!) or to dump
the data into a file, and backup that.
Can I convert from the 1.9 alpha to a 2.0beta freeipa instance?
Best,
Peter
More information about the Freeipa-users
mailing list