[Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP!
Peter Pakos
peter at pakos.uk
Fri Jul 22 12:45:51 UTC 2016
A massive thank you to Jan Cholasta for handholding me while I was getting
this problem fixed. This is how we did it...
1. List all CA certificates in LDAP directory:
ldapsearch -b cn=certificates,cn=ipa,$basedn
2. Using ldapdelete (or LDAP browser), get rid of all certificates that
shouldn't be there, in my case there were 2 called "CA 1" and "CA 2"
3. On each server, list all certificates in the following databases ($db):
- /etc/httpd/alias/
- /etc/dirsrv/slapd-IPA-YOUR-REALM/
- /etc/pki/nssdb/
- /etc/ipa/nssdb/
certutil -L -d $db
4. On each server, delete duplicated certificates ($nick = Certificate
Nickname) from the above databases. Please note, this step removed both
correct and incorrect certificates:
certutil -D -d $db -n "$nick"
5. We had a conflict between one of our intermediate CA certificates
supplied by Gandi and a system certificate (potentially installed by
ca-certificates package) therefore we had to run the following command on
every server to stop the system cert being loaded into httpd database:
modutil -dbdir /etc/httpd/alias -disable 'Root Certs' -force
6. Lastly, we ran the following command on every server to load correct
certificates into all databases:
ipa-certupdate
At this point we had a fully functioning system again with the correct SSL
certificate chain being served by both httpd and dirsrv services.
Please note, an incorrect CA certificate was re-added to the LDAP directory
later on when I deployed a new node and I had to repeat step 2 before
running ipa-certupdate on the new replica.
Once again, I would like to thank Jan for his input - keep up the good work!
--
Kind regards,
Peter Pakos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160722/5bbec822/attachment.htm>
More information about the Freeipa-users
mailing list