[Freeipa-users] Renewing FreeIPA 2.2 certificate
Rob Crittenden
rcritten at redhat.com
Sun Nov 2 23:08:15 UTC 2014
William Muriithi wrote:
> Afternoon
>
> I have been trying to renew FreeIPA certificate for the last three
> days and I am running out of luck. I can't for example use the GUI
> interface and the ipa cli tools are also failing since the certificate
> expired on 27th last month. I have followed the instructions below
> but may be missing a step.
>
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> Below is what I have done. I seem to have renewed some certificate
> successfully.
>
>
> [root at ipa1-yyz-int 10.30.2014]# cat certificate_status.sh #!/bin/bash
>
> for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert
> cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
> do
> echo $nickname
> certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
> done
>
>
> [root at ipa1-yyz-int 10.30.2014]# ./certificate_status.sh
> auditSigningCert cert-pki-ca
> Not After : Thu Apr 23 22:18:47 2015 ocspSigningCert cert-pki-ca
> Not After : Fri Oct 14 22:17:47 2016 subsystemCert cert-pki-ca
> Not After : Fri Oct 14 22:17:47 2016 Server-Cert cert-pki-ca
> Not After : Fri Oct 14 22:17:48 2016
>
>
> I think I have done the steps above correctly but dont understand this section
>
> [root at ipa1-yyz-int 10.30.2014]# certutil -L -d /etc/httpd/alias -n ipaCert
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 7 (0x7)
> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Issuer: "CN=Certificate Authority,O=EXAMPLE.LOC"
> Validity:
> Not Before: Tue Nov 06 21:35:53 2012
> Not After : Mon Oct 27 21:35:53 2014
>
> As you can see below, this certificate was not renewed, and therefore
> I couldnt change the serial # through ldap tools. Which step would I
> have missed, or rather what should I re-run?
>
>
> Would be grateful for a second eye looking at it and advice what I
> could be missing.
>
> I know I am using old software and did setup a replica successfully on
> Friday but it also have certificate issues. I plan to move all the
> certificate role to the free-IPA 3 once I get the certificate issues
> sorted and decommission Free-IPA 2.2
Is certmonger tracking the certificate? Run this to see:
# getcert list -d /etc/httpd/alias -n ipaCert
If so then try this:
# getcert resubmit -d /etc/httpd/alias -n ipaCert
This will only work if you've updated the renewed certificates in CS.cfg
and you've fixed the NSS database trust for the audit cert.
If/once that is renewed then you can do the other steps.
rob
More information about the Freeipa-users
mailing list