[Freeipa-users] Renewing FreeIPA 2.2 certificate

Rob Crittenden rcritten at redhat.com
Sun Nov 2 23:08:15 UTC 2014 

William Muriithi wrote:
> Afternoon
> 
> I have been trying to renew FreeIPA certificate for the last three
> days and I am running out of luck. I can't for example use the GUI
> interface and the ipa cli tools are also failing since the certificate
> expired on 27th last month.  I have followed the instructions below
> but may be missing a step.
> 
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
> 
> Below is what I have done.  I seem to have renewed some certificate
> successfully.
> 
> 
> [root at ipa1-yyz-int 10.30.2014]# cat certificate_status.sh #!/bin/bash
> 
> for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert
> cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
>    do
>      echo $nickname
>      certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
>    done
> 
> 
> [root at ipa1-yyz-int 10.30.2014]# ./certificate_status.sh
> auditSigningCert cert-pki-ca
>             Not After : Thu Apr 23 22:18:47 2015 ocspSigningCert cert-pki-ca
>             Not After : Fri Oct 14 22:17:47 2016 subsystemCert cert-pki-ca
>             Not After : Fri Oct 14 22:17:47 2016 Server-Cert cert-pki-ca
>             Not After : Fri Oct 14 22:17:48 2016
> 
> 
> I think I have done the steps above correctly but dont understand this section
> 
> [root at ipa1-yyz-int 10.30.2014]# certutil -L -d /etc/httpd/alias -n ipaCert
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 7 (0x7)
>         Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>         Issuer: "CN=Certificate Authority,O=EXAMPLE.LOC"
>         Validity:
>             Not Before: Tue Nov 06 21:35:53 2012
>             Not After : Mon Oct 27 21:35:53 2014
> 
> As you can see below, this certificate was not renewed, and therefore
> I couldnt change the serial # through ldap tools.  Which step would I
> have missed, or rather what should I re-run?
> 
> 
> Would be grateful for a second eye looking at it and advice what I
> could be missing.
> 
> I know I am using old software and did setup a replica successfully on
> Friday but it also have certificate issues.  I plan to move all the
> certificate role to the free-IPA 3 once I get the certificate issues
> sorted and decommission Free-IPA 2.2

Is certmonger tracking the certificate? Run this to see:

# getcert list -d /etc/httpd/alias -n ipaCert

If so then try this:

# getcert resubmit -d /etc/httpd/alias -n ipaCert

This will only work if you've updated the renewed certificates in CS.cfg
and you've fixed the NSS database trust for the audit cert.

If/once that is renewed then you can do the other steps.

rob

More information about the Freeipa-users mailing list