[Freeipa-users] IPA server certificate update and "Directory Manager" password

Ian Stokes-Rees ijstokes at hkl.hms.harvard.edu
Thu Jan 20 21:45:06 UTC 2011 

> Just so I have the full context, where did the original self-signed
> cert come from? The initial cert should have been good for 12 months
> so I'm a little confused. Do you know where the initial certificate
> came from?

I have to plead ignorance, since it was our regular sys admin (away on
vacation for 2 weeks) who installed this summer of 2010.  I'm a "user"
stuck with managing the system while he's away.  I assume this cert came
from the default installation process.  He chimed in with a quick
comment on our internal ticket, and said he doesn't know any details
about the cert infrastructure of FreeIPA.

> You're running a pretty old build so maybe we didn't have this quite
> working but we use a tool named certmonger to keep the SSL
> certificates valid. It could be that we weren't using certmonger then,
> or not enabling it correctly, I'm not sure.If you want to see then as
> root run: ipa-getcert list. This will show you the certificates that
> certmonger is monitoring (and I suppose it could be none or you could
> get a DBus error.

Probably not running it:

# ipa-getcert list
Error org.freedesktop.DBus.Error.ServiceUnknown: The name
org.fedorahosted.certmonger was not provided by any .service files


>
> Since your infrastructure is probably down because of this here are
> the instructions you need to get going again. I hesitate because I
> don't want to make things worse for you by not understanding the history.
>
> The Directory Manager is essentially the super-user of 389-ds. It gets
> a separate password when IPA is installed. See these instructions for
> resetting it:
> http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword

Seemed straight forward, but it hasn't worked.  After changing the
password in the dse.ldif file I can't restart "dirsrv" successfully: our
instance won't restart, but the PKI-IPA one will restart just fine.  In
either case, I can't execute the ipa-server-certinstall, as I get an error:

# ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12
--dirsrv_pin=ldap
Directory Manager password:
an unexpected error occurred: Can't contact LDAP server:
[stacktrace]
DatabaseError: Can't contact LDAP server:


Also, I should reiterate that the PKCS#12 file is *self signed*, but I
notice in /etc/ipa/ca.crt there is a cert (just public) for the IPA CA
-- perhaps my cert needs to be signed by this CA?

> I'm also curious why only the 389-ds cert has expired and not the
> Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d
> /etc/httpd/alias -n Server-Cert' will show you.

Here you can see the expired cert and the 6 month lifespan:

# certutil -L -d /etc/httpd/alias -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9 (0x9)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=IPA"
        Validity:
            Not Before: Wed Jul 21 18:13:52 2010
            Not After : Mon Jan 17 18:13:52 2011
        Subject: "CN=nebio-directory.in.hwlab,O=IPA"

More information about the Freeipa-users mailing list