[Freeipa-users] Renewing an externally signed HTTP/LDAP certificate

Joseph Timothy Foley foley at ru.is
Tue Mar 22 08:56:44 UTC 2016 

Hi Rob.

To add to this mess, I seem to have somehow confused the LDAP
certificate configuration in the process of setting up a replicant
(ipa.cs.ru.is) with my new StartSSL (personal) certificate.  The
previous certificate was a corporate Level2 certificate.  Trying to use
the old certificate (which expires tomorrow) doesn't seem to put it back
in working order.

This is what I did to make the pkcs file:

cp ipa.cs.ru.is.crt ipa.cs.ru.is-bundle.crt
cat certs/ca-bundle.crt >> ipa.cs.ru.is-bundle.crt  (the ca-bundle is
the root_bundle.crt they now send you in a zip file)

openssl pkcs12 -export -in ipa.cs.ru.is-bundle.crt -inkey
private/ipa.cs.ru.is.key -out ipa.cs.ru.is.p12 -name ipa.cs.ru.is

ipa-replica-prepare --http-cert-file ipa.cs.ru.is.p12 --http-pin XXXXX
--dirsrv-cert-file ipa.cs.ru.is.p12 --dirsrv-pin XXXXX ipa.cs.ru.is 

Then copied it to ipa.cs.ru.is and ran
ipa-replica-install --mkhomedir replica-info-ipa.cs.ru.is.gpg

Everything looks fine until:
  [24/38]: setting up initial replication
Starting replication, please wait until this has completed.

[ipa2.cs.ru.is] reports: Update failed! Status: [-11  - LDAP error:
Connect error]

  [error] RuntimeError: Failed to start replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    Failed to
start replication


Looking at the setup log in /var/log/ipareplica-install.log:

2016-03-22T08:49:22Z DEBUG retrieving schema for SchemaCache
url=ldap://ipa2.cs.ru.is:389 conn=<ldap.ldapobject.SimpleLDAPObject
instan\
ce at 0x8cfc908>
2016-03-22T08:49:23Z DEBUG Successfully updated nsDS5ReplicaId.
2016-03-22T08:49:23Z DEBUG flushing ldaps://ipa.cs.ru.is:636 from
SchemaCache
2016-03-22T08:49:23Z DEBUG retrieving schema for SchemaCache
url=ldaps://ipa.cs.ru.is:636 conn=<ldap.ldapobject.SimpleLDAPObject
instan\
ce at 0x8a01830>
2016-03-22T08:49:24Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
    method()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
377, in __setup_replica
    r_bindpw=self.dm_password)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1014, in setup_replication
    raise RuntimeError("Failed to start replication")
RuntimeError: Failed to start replication

2016-03-22T08:49:24Z DEBUG   [error] RuntimeError: Failed to start
replication
2016-03-22T08:49:24Z DEBUG Destroyed connection context.ldap2_102284432
2016-03-22T08:49:24Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
311, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 281, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 303, in execute
    for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 524, in _configure
    executor.next()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 421, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 418, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
    for nothing in self._installer(self.parent):
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 879, in main
    install(self)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated
    func(installer)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 566, in install
    ds = install_replica_ds(config)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 77, in install_replica_ds
    ca_file=config.dir + "/ca.crt",
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
364, in create_replica
    self.start_creation(runtime=60)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
    method()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
377, in __setup_replica
    r_bindpw=self.dm_password)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1014, in setup_replication
    raise RuntimeError("Failed to start replication")

2016-03-22T08:49:24Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Failed to start replication
2016-03-22T08:49:24Z ERROR Failed to start replication

On Mon, 2016-03-21 at 15:47 -0400, Rob Crittenden wrote:
> Joseph Timothy Foley wrote:
> > I just discovered that the certificate on ipa2.cs.ru.is is good to August,
> > so I have a little bit of breathing room.  That said, the ipa.cs.ru.is
> > certificate will expire on March 23, so I need to update it.
> 
> The process to get a new cert is pretty much the same as you obtained 
> the original assuming you kept the original CSR. You'd re-submit that to 
> StartSSL and they will provide a new certificate in PEM format.
> 
> Add that to the relevant database via:
> 
> # certutil -A -n "Server-Cert" -d /path/to/db -t u,u,u -a -i /path/to 
> cert.pem
> 
> I can't give much more specific information without knowing if you are, 
> for example, using the came cert/key for both 389-ds and Apache.
> 
> rob
> 
> > --
> > Dr. Joseph T. Foley <foley at ru.is> Assistant Professor,  Reykjavik
> > University +354-599-6569
> >
> >
> >
> > On 3/21/16 6:27 PM, "Joseph Timothy Foley" <foley at ru.is> wrote:
> >
> >> Hi there.
> >> I setup an IPA4.2.0 on RHEL7 service for our CS department on
> >> ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is
> >> I used StartSSL to sign our certificate for HTTP and LDAP usage because I
> >> didn't want our users to deal with the internal CA nor could we get the CA
> >> certificate signed.  Problem is, I can't find any information on how to
> >> get the new certificates installed on the running IPA server.  They expire
> >> in 2 days, so I'm running out of time. Any help would be greatly
> >> appreciated.
> >>
> >> I can only find information on how to setup these certificates on a brand
> >> new IPA or replicant.  There isn't any obvious information on how to put
> >> updated certificates into a running instance.
> >>
> >> Thanks in advance.
> >>
> >> Joe
> >> --
> >> Dr. Joseph T. Foley <foley at ru.is> Assistant Professor,  Reykjavik
> >> University +354-599-6569
> >>
> >>
> >>
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >
> >
> 

-- 
Dr. Joseph T. Foley <foley at ru.is> Assistant Professor, Dept. of Science
& Engineering, Reykjavik University
Menntavegur 1, Nauthólsvík | 101 Reykjavík | Iceland | Phone:
+354-599-6569 | Fax +354-599-6201 | www.ru.is

More information about the Freeipa-users mailing list