[Freeipa-users] IPA server certificate update and "Directory Manager" password
Rob Crittenden
rcritten at redhat.com
Thu Jan 20 22:32:08 UTC 2011
Ian Stokes-Rees wrote:
>
>> Just so I have the full context, where did the original self-signed
>> cert come from? The initial cert should have been good for 12 months
>> so I'm a little confused. Do you know where the initial certificate
>> came from?
>
> I have to plead ignorance, since it was our regular sys admin (away on
> vacation for 2 weeks) who installed this summer of 2010. I'm a "user"
> stuck with managing the system while he's away. I assume this cert came
> from the default installation process. He chimed in with a quick
> comment on our internal ticket, and said he doesn't know any details
> about the cert infrastructure of FreeIPA.
>
Ouch, you have my sympathies.
>> You're running a pretty old build so maybe we didn't have this quite
>> working but we use a tool named certmonger to keep the SSL
>> certificates valid. It could be that we weren't using certmonger then,
>> or not enabling it correctly, I'm not sure.If you want to see then as
>> root run: ipa-getcert list. This will show you the certificates that
>> certmonger is monitoring (and I suppose it could be none or you could
>> get a DBus error.
>
> Probably not running it:
>
> # ipa-getcert list
> Error org.freedesktop.DBus.Error.ServiceUnknown: The name
> org.fedorahosted.certmonger was not provided by any .service files
>
Ok, that's fine. Maybe we can use it once you get up and running again,
but first things first.
>>
>> Since your infrastructure is probably down because of this here are
>> the instructions you need to get going again. I hesitate because I
>> don't want to make things worse for you by not understanding the history.
>>
>> The Directory Manager is essentially the super-user of 389-ds. It gets
>> a separate password when IPA is installed. See these instructions for
>> resetting it:
>> http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword
>
> Seemed straight forward, but it hasn't worked. After changing the
> password in the dse.ldif file I can't restart "dirsrv" successfully: our
> instance won't restart, but the PKI-IPA one will restart just fine. In
> either case, I can't execute the ipa-server-certinstall, as I get an error:
>
> # ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12
> --dirsrv_pin=ldap
> Directory Manager password:
> an unexpected error occurred: Can't contact LDAP server:
> [stacktrace]
> DatabaseError: Can't contact LDAP server:
/me smacks head
Ok, of course you can't contact the LDAP server because it isn't up
because the cert is expired!
> Also, I should reiterate that the PKCS#12 file is *self signed*, but I
> notice in /etc/ipa/ca.crt there is a cert (just public) for the IPA CA
> -- perhaps my cert needs to be signed by this CA?
Yes, that was going to be my next question. While throwing any old
self-signed cert in there might get the server up other things won't
work, notably replication.
Ok, here are some steps I worked out that I think will get you back in
business. I'm going to try to renew your 389-ds certificate using IPA.
First we need to get 389-ds back up and running.
I'm going to use REALM in place of the instance name for your 399-ds
install.
1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif
2. Make a backup of your dirsrv NSS database (so
/etc/dirsrv/slapd-REALM/*.db)
2. Edit dse.ldif and set nsslapd-security to off
3. Try starting dirsrv: service start dirsrv REALM
4. Get a kerberos ticket for admin: kinit admin
5. Generate a new CSR for your directory server:
certutil -R -k 'NSS Certificate DB:Server-Cert' -s
'cn=nebio-directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f
/etc/dirsrv/slapd-REALM/pwdfile.txt -a > renew.csr
6. Get a new certificate:
ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab >
7. Paste the value in the output for Certificate into a file. This is a
base64-encoded blob of text probably starting with MII and ending with ==.
8. Add this new cert to your 389-ds database
certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a < cert.txt
9. service dirsrv stop REALM
10. edit dse.ldif and set nsslapd-security to on
11. service dirsrv start REALM
I ran the majority of these steps against my own IPA installation and
nothing caught on fire. I hope you have equal success.
>
>> I'm also curious why only the 389-ds cert has expired and not the
>> Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d
>> /etc/httpd/alias -n Server-Cert' will show you.
>
> Here you can see the expired cert and the 6 month lifespan:
>
> # certutil -L -d /etc/httpd/alias -n Server-Cert
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 9 (0x9)
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Issuer: "CN=Certificate Authority,O=IPA"
> Validity:
> Not Before: Wed Jul 21 18:13:52 2010
> Not After : Mon Jan 17 18:13:52 2011
> Subject: "CN=nebio-directory.in.hwlab,O=IPA"
>
Wow, not sure why it would do a 6 month cert but seeing is believing.
regards
rob
More information about the Freeipa-users
mailing list