[Freeipa-users] Need to replace cert for ipa servers

sipazzo sipazzo at yahoo.com
Wed Mar 11 21:49:28 UTC 2015 

Thanks Rob, I apologize that error was probably not helpful. This is what I see when running install in debug mode:
Verifying that ipa2-corp.networkfleet.com (realm EXAMPLE.COM) is an IPA server
Init LDAP connection with: ldap://ipa2-corp.networkfleet.com:389
LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized.
Verifying that ipa1-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA server
Init LDAP connection with: ldap://ipa1-xo.networkfleet.com:389
LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized.
Verifying that ipa1-io.networkfleet.com (realm EXAMPLE.COM) is an IPA server
Init LDAP connection with: ldap://ipa1-io.networkfleet.com:389
LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized.
Verifying that ipa2-io.networkfleet.com (realm EXAMPLE.COM) is an IPA server
Init LDAP connection with: ldap://ipa2-io.networkfleet.com:389
LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized.
Verifying that ipa2-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA server
Init LDAP connection with: ldap://ipa2-xo.networkfleet.com:389
LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is not recognized.
The certificates are very confusing to me. I don't understand how things are working when we have a set of GoDaddy certs in slapd-NETWORKFLEET-COM and a set of the Dogtag certs in slapd-PKI-CA. The cert in /usr/share/ipa/html/ca.crt looks like the original one issued by the Dogtag cert system and matches the ones on the clients. Not to further confuse things but the original master server that signed all these certs was taken offline months ago due to some issues it was having. I do still have access to it if necessary. 

As far as why the godaddy certs were swapped out for the Dogtag certs it was originally for something as simple as the untrusted certificate dialogue when accessing the ipa gui. I did not swap out the certs so am unsure of exactly what happened. There is no real need to use the GoDaddy certs as far as I am concerned. I just want the best solution to the issues I am seeing as I am in kind of a bind with the GoDaddy cert being revoked and needing to be replaced and the master Dogtag certificate server offline. We have a mixed environment with Rhel 5, 6 and Solaris clients so are not using sssd in all cases.

I know this is asking a lot but appreciate any help you can give.
Thank you.
    

-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Rob Crittenden
Sent: Wednesday, March 11, 2015 1:14 PM
To: sipazzo; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Need to replace cert for ipa servers

sipazzo wrote:
>  
>  
> 
> 
> *
> *
> This issue has now gotten much worse and we are unable to enroll 
> clients. We are getting an error saying the server does not have a cert:
> 
> Do you want download the CA cert from
> http://ipa1.example.com/ipa/config/ca.crt ?
> (this is INSECURE) [no]: yes
> Cannot obtain CA certificate
> 'http://ipa1.example.com/ipa/config/ca.crt' doesn't have a 
> certificate.j

I don't see how this is at all related, or new.

The CA cert exists in the filesystem in /usr/share/ipa/html/ca.crt. It wouldn't be affected by expiring certificates.

> Can we somehow replace our certs and revert back to the original one's 
> issue by the dogtag server so we have a standard configuration or is 
> there a clean way to fix this issue?

You swapped out for the GoDaddy cert for a reason. I'd start there. Do you need to retain that cert or is it acceptable to try to revert back to IPA server certs?

Note that going back could affect clients enrolled using the GoDaddy cert depending on how your machines are configured (if using SSSD then not likely a problem). As Dmitri said we mostly use Kerberos to communicate.

rob

> 
> Thank you
> 
> 
> 
> I was told the GoDaddy certs were just imported using certutil -a but 
> in looking at the certs the original certs were actually replaced. 
> This is only in /etc/dirsrv/slapd-REALM-COM:
>  
> Certificate Nickname                                        Trust
> Attributes
>                                                            
> SSL,S/MIME,JAR/XPI
>  
> GD_CA                                                        CT,C,C
> NWF_GD                                                      u,u,u
>  
>  
> The certs in /etc/dirsrv/slapd-PKI-CA are still the originals:
>  
> [root at ipa2-corp ~]# certutil -L -d /etc/dirsrv/slapd-PKI-IPA/
>  
> Certificate Nickname                                        Trust
> Attributes
>                                                            
> SSL,S/MIME,JAR/XPI
>  
> IPADOMAIN.COM IPA CA                                      CT,C,
> Server-Cert                                                  u,u,u
>  
>  I am not even sure how this even works or if it can be fixed?
> Should/Can we go back to using the original dogtag certs?
> ----------------------------------------------------------------------
> --
>  
> *From:*freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Dmitri Pal
> *Sent:* Wednesday, March 04, 2015 2:57 PM
> *To:* freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] Need to replace cert for ipa servers
>  
> On 03/04/2015 04:32 PM, sipazzo wrote:
> 
>    Good afternoon, we have a freeipa 3.0.42 installation running on
>    redhead 6.6 with a mix of rhel 5, rhel6 and Solaris clients. It was
>    originally configured with the built in dogtag certificate CA and
>    then one of my co-workers added our GoDaddy certificate to the
>    certificate bundle. My understanding is this cert is used for
>    communication between the ipa servers as well as the clients are
>    also configured to trust the GoDaddy certificate. We recently had to
>    get a new GoDaddy cert so our old one is revoked. I need to figure
>    out how to either replace the existing revoked cert with the new one
>    or add the new one to the bundle and then remove the revoked
>    certificate so as not to break anything.
>      
>    Any help is appreciated. I am not strong with certificates so the
>    more detail you can give the better.
>    Thank you.
>      
> 
> You say it was running with the self signed IPA CA and than GoDaddy 
> cert was added to the bundle. How was it added?
> IPA does not use certs for communication between the instances. It 
> uses Kerberos. I am not sure the DoDaddy cert you added is even used 
> in some way by IPA.
> It seems that your GoDaddy cert is an orthogonal trust so if you 
> replaced the main key pair then you just need to distribute your new 
> GoDaddy cert to the clients as you did on the first place.
> 
> 
> --
> 
> Thank you,
> 
> Dmitri Pal
> 
>  
> 
> Sr. Engineering Manager IdM portfolio
> 
> Red Hat, Inc.
> 
>  
>  
> 
> 
> 
> 

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150311/f24f5094/attachment.htm>

More information about the Freeipa-users mailing list