[Freeipa-users] IPA server certificate update and "Directory Manager" password
Rob Crittenden
rcritten at redhat.com
Thu Jan 20 22:54:23 UTC 2011
Ian Stokes-Rees wrote:
> Some more info:
>
> 1. certmonger wasn't running, so I started it. Then I can execute
> "ipa-getcert list" but it doesn't return anything.
Ok, your install must have pre-dated our implementation of it.
> 2. /var/log/ipa/default.log (the only log file in that dir) appears to
> show the *new* cert being imported successfully (the latest timestamps
> are from about 1000 seconds ago, or less than 20 minutes):
As one might expect the Apache cert has also expired. Apache needs a
valid cert and needs to contact 389-ds to start IPA.
> 3. dirsrv errors has this as its last log entries:
> /var/log/dirsrv/slapd-NEBIOGRID-ORG/errors:
It doesn't seem to like the self-signed cert you installed.
The key used to initially generate the 389-ds certificate should still
be in your NSS database, certutil -K -d /etc/dirsrv/slapd-REALM should
have it. We should be able to use that to get things working again.
I think the fastest way to get back up would be to set your system clock
back to Jan 15. Disable security in 389-ds and start that, then restart
Apache. This should be enough to get part of your infrastructure back up
and running long enough to renew the certs.
Once you renew the 389-ds certificate and get that working you can do
pretty much the same thing to Apache. The Apache NSS database is in
/etc/httpd/alias. You won't need to disable security for this at all.
Otherwise we may have to set up a sort of temporary CA, issue new
certificates for Apache and 389-ds to get them back up and running, then
renew things.
If you try going back in time don't forget to reset the date. You'll
have to stop ntpd when going back in time.
rob
More information about the Freeipa-users
mailing list