[Freeipa-users] IPA server certificate update and "Directory Manager" password
Rob Crittenden
rcritten at redhat.com
Thu Jan 20 21:26:53 UTC 2011
Ian Stokes-Rees wrote:
> Hello,
>
> We have a deployment of IPA that we have been using successfully for 185
> days. We are 3 days past the "half year" mark, and the self-signed cert
> that was created with the original IPA install (FreeIPA v2 alpha) has
> expired. I have created a new self-signed cert, PKCS#12 format, but I
> cannot load it using the command:
>
> ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap
>
>
> When I try this, I am asked for:
>
> Directory Manager password:
>
>
> And I have no idea what this would be. I've tried the Kerberos "admin"
> password (used with "kinit admin"), and the root password. I don't know
> what other passwords would work.
>
> Is there some way to force this, or reset it, without starting from
> scratch? The added challenge is that the person who setup this version
> of FreeIPA went on vacation for 2 weeks, so I have minimal background
> with FreeIPA from an admin/install perspective.
Just so I have the full context, where did the original self-signed cert
come from? The initial cert should have been good for 12 months so I'm a
little confused. Do you know where the initial certificate came from?
You're running a pretty old build so maybe we didn't have this quite
working but we use a tool named certmonger to keep the SSL certificates
valid. It could be that we weren't using certmonger then, or not
enabling it correctly, I'm not sure. If you want to see then as root
run: ipa-getcert list. This will show you the certificates that
certmonger is monitoring (and I suppose it could be none or you could
get a DBus error.
Since your infrastructure is probably down because of this here are the
instructions you need to get going again. I hesitate because I don't
want to make things worse for you by not understanding the history.
The Directory Manager is essentially the super-user of 389-ds. It gets a
separate password when IPA is installed. See these instructions for
resetting it:
http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword
I'm also curious why only the 389-ds cert has expired and not the Apache
cert (or maybe you haven't noticed it yet). 'certutil -L -d
/etc/httpd/alias -n Server-Cert' will show you.
rob
More information about the Freeipa-users
mailing list