[Freeipa-users] Need to replace cert for ipa servers

[Rob Crittenden]

sipazzo wrote:
> Thanks Rob, I apologize that error was probably not helpful. This is
> what I see when running install in debug mode:
> 
> Verifying that ipa2-corp.networkfleet.com (realm EXAMPLE.COM) is an IPA
> server
> Init LDAP connection with: ldap://ipa2-corp.networkfleet.com:389
> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is
> not recognized.
> Verifying that ipa1-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA server
> Init LDAP connection with: ldap://ipa1-xo.networkfleet.com:389
> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is
> not recognized.
> Verifying that ipa1-io.networkfleet.com (realm EXAMPLE.COM) is an IPA server
> Init LDAP connection with: ldap://ipa1-io.networkfleet.com:389
> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is
> not recognized.
> Verifying that ipa2-io.networkfleet.com (realm EXAMPLE.COM) is an IPA server
> Init LDAP connection with: ldap://ipa2-io.networkfleet.com:389
> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is
> not recognized.
> Verifying that ipa2-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA server
> Init LDAP connection with: ldap://ipa2-xo.networkfleet.com:389
> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is
> not recognized.
> 
> The certificates are very confusing to me. I don't understand how things
> are working when we have a set of GoDaddy certs in
> slapd-NETWORKFLEET-COM and a set of the Dogtag certs in slapd-PKI-CA.
> The cert in /usr/share/ipa/html/ca.crt looks like the original one
> issued by the Dogtag cert system and matches the ones on the clients.
> Not to further confuse things but the original master server that signed
> all these certs was taken offline months ago due to some issues it was
> having. I do still have access to it if necessary.
> 
> As far as why the godaddy certs were swapped out for the Dogtag certs it
> was originally for something as simple as the untrusted certificate
> dialogue when accessing the ipa gui. I did not swap out the certs so am
> unsure of exactly what happened. There is no real need to use the
> GoDaddy certs as far as I am concerned. I just want the best solution to
> the issues I am seeing as I am in kind of a bind with the GoDaddy cert
> being revoked and needing to be replaced and the master Dogtag
> certificate server offline. We have a mixed environment with Rhel 5, 6
> and Solaris clients so are not using sssd in all cases.
> 
> I know this is asking a lot but appreciate any help you can give.

What is the current state of things? Does your IPA Apache server work?
Is 389-ds up and running? Do you have a working IPA CA?

Does ipa cert-show 1 work?

If the answer is yes to all then we should be able to generate new certs
for all the services.

rob