[Freeipa-users] Cert Renewal

Ott, Dennis Dennis.Ott at mckesson.com
Tue Sep 2 23:08:40 UTC 2014 

I may need a little more direction here.

The output from getcert list-cas does not contain the string 'ca_renewal'. 

What does this indicate?


-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Tuesday, August 26, 2014 3:53 PM
To: Ott, Dennis; Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Cert Renewal

Ott, Dennis wrote:
> No services are currently running on the replica (and I am hesitant to start them) but, my recollection is that I did the replica server installation with the --setup-ca option. Also, there are /var/lib/dirsrv/slapd-PKI-IPA/ and /etc/pki-ca/ directories in place on the replica.
> 
> ipa-getcert list shows all certs with a status of: CA_UNREACHABLE (but 
> then, the service is down. The master also gave this status, even with 
> the service running, until I followed the cert renewal procedure.)
> 
> So, with the replica running a CA, should I follow the same procedure that I used on the master? Anything else to look out for?

No, the procedure is slightly different on the replica.

You need to start by ensuring that certmonger has a CA type for renewal:

# getcert list-cas

Look for ca_renewal

Check the CA subsystem certs to see how they are configured.

The CA should be dogtag-ipa-retrieve-agent-submit for "auditSigningCert cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert cert-pki-ca" and a pre-save command of stop_pkicad and a post-save a restart_pkicad PKI-IPA

The agent cert, ipaCert, should be using "dogtag-ipa-retrieve-agent-submit", a blank pre-save command and a post-save command of restart_httpd.

rob


> 

> Thanks.
> 
> Dennis
> 
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Monday, August 25, 2014 6:37 PM
> To: Ott, Dennis; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Cert Renewal
> 
> Ott, Dennis wrote:
>> I have an IPA setup, one master, one replica; originally installed as 
>> v 2.x and later  updated to v 3.0. For whatever reasons, the certs 
>> did not automatically renew and the services would no longer start. I 
>> updated the certs manually on the master using the procedure shown at:
>>
>>  
>>
>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>
>>  
>>
>> The master is now functioning properly.
>>
>>  
>>
>>  
>>
>> At this point, the IPA service is still stopped on the replica. I 
>> hesitate to start it for concern it could interfere with the 
>> now-working master.
>>
>>  
>>
>> What would be the recommended method for returning the replica to service?
> 
> It depends on whether the replica. Does it also run a CA? If not then you can try restarting the certmonger service. This should cause it to fetch new certificates for the other IPA servers. ipa-getcert list will show you the status, wait until they are all MONITORING.
> 
> Once that works then you can safely restart the world. Any changes on the master will be replicated out, and vice versa.
> 
> rob
>

More information about the Freeipa-users mailing list