[Freeipa-users] IPA server certificate update and "Directory Manager" password
Ian Stokes-Rees
ijstokes at hkl.hms.harvard.edu
Thu Jan 20 21:45:06 UTC 2011
> Just so I have the full context, where did the original self-signed
> cert come from? The initial cert should have been good for 12 months
> so I'm a little confused. Do you know where the initial certificate
> came from?
I have to plead ignorance, since it was our regular sys admin (away on
vacation for 2 weeks) who installed this summer of 2010. I'm a "user"
stuck with managing the system while he's away. I assume this cert came
from the default installation process. He chimed in with a quick
comment on our internal ticket, and said he doesn't know any details
about the cert infrastructure of FreeIPA.
> You're running a pretty old build so maybe we didn't have this quite
> working but we use a tool named certmonger to keep the SSL
> certificates valid. It could be that we weren't using certmonger then,
> or not enabling it correctly, I'm not sure.If you want to see then as
> root run: ipa-getcert list. This will show you the certificates that
> certmonger is monitoring (and I suppose it could be none or you could
> get a DBus error.
Probably not running it:
# ipa-getcert list
Error org.freedesktop.DBus.Error.ServiceUnknown: The name
org.fedorahosted.certmonger was not provided by any .service files
>
> Since your infrastructure is probably down because of this here are
> the instructions you need to get going again. I hesitate because I
> don't want to make things worse for you by not understanding the history.
>
> The Directory Manager is essentially the super-user of 389-ds. It gets
> a separate password when IPA is installed. See these instructions for
> resetting it:
> http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword
Seemed straight forward, but it hasn't worked. After changing the
password in the dse.ldif file I can't restart "dirsrv" successfully: our
instance won't restart, but the PKI-IPA one will restart just fine. In
either case, I can't execute the ipa-server-certinstall, as I get an error:
# ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12
--dirsrv_pin=ldap
Directory Manager password:
an unexpected error occurred: Can't contact LDAP server:
[stacktrace]
DatabaseError: Can't contact LDAP server:
Also, I should reiterate that the PKCS#12 file is *self signed*, but I
notice in /etc/ipa/ca.crt there is a cert (just public) for the IPA CA
-- perhaps my cert needs to be signed by this CA?
> I'm also curious why only the 389-ds cert has expired and not the
> Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d
> /etc/httpd/alias -n Server-Cert' will show you.
Here you can see the expired cert and the 6 month lifespan:
# certutil -L -d /etc/httpd/alias -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Certificate Authority,O=IPA"
Validity:
Not Before: Wed Jul 21 18:13:52 2010
Not After : Mon Jan 17 18:13:52 2011
Subject: "CN=nebio-directory.in.hwlab,O=IPA"
More information about the Freeipa-users
mailing list