[Freeipa-users] Renewing an externally signed HTTP/LDAP certificate
Joseph Timothy Foley
foley at ru.is
Wed Mar 23 01:17:05 UTC 2016
Hi Rob.
You are right that I should be able to just update it on our second
server. What happened was I was trying to see if the certificate would
work on the install process since I couldn't figure out the renewal.
This did not work, which is why I just sent out an update of my new LDAP
error.
If I understand you correctly, I somehow need to add the new trust chain
to both sides. How would I go about doing that?
Joe
--
Dr. Joseph T. Foley <foley at ru.is> Assistant Professor, Reykjavik
University +354-599-6569
On 3/22/16 1:44 PM, "Rob Crittenden" <rcritten at redhat.com> wrote:
>Joseph Timothy Foley wrote:
>> Hi Rob.
>>
>> To add to this mess, I seem to have somehow confused the LDAP
>> certificate configuration in the process of setting up a replicant
>> (ipa.cs.ru.is) with my new StartSSL (personal) certificate. The
>> previous certificate was a corporate Level2 certificate. Trying to use
>> the old certificate (which expires tomorrow) doesn't seem to put it back
>> in working order.
>
>I thought you just needed to update the certificate. Why are you
>creating a new replica?
>
>My own StartSSL Server cert expires in a month and I just renewed it
>this morning. They have a new subordinate CA, that might be part of the
>problem (both sides need to trust it). I'd look in the access log of the
>remote 389-ds server to see what error it threw (and the local one too I
>suppose).
>
>But really, you should be able to replace the certs using certutil, not
>re-install the whole thing.
>
>rob
>
>
>> This is what I did to make the pkcs file:
>>
>> cp ipa.cs.ru.is.crt ipa.cs.ru.is-bundle.crt
>> cat certs/ca-bundle.crt >> ipa.cs.ru.is-bundle.crt (the ca-bundle is
>> the root_bundle.crt they now send you in a zip file)
>>
>> openssl pkcs12 -export -in ipa.cs.ru.is-bundle.crt -inkey
>> private/ipa.cs.ru.is.key -out ipa.cs.ru.is.p12 -name ipa.cs.ru.is
>>
>> ipa-replica-prepare --http-cert-file ipa.cs.ru.is.p12 --http-pin XXXXX
>> --dirsrv-cert-file ipa.cs.ru.is.p12 --dirsrv-pin XXXXX ipa.cs.ru.is
>>
>> Then copied it to ipa.cs.ru.is and ran
>> ipa-replica-install --mkhomedir replica-info-ipa.cs.ru.is.gpg
>>
>> Everything looks fine until:
>> [24/38]: setting up initial replication
>> Starting replication, please wait until this has completed.
>>
>> [ipa2.cs.ru.is] reports: Update failed! Status: [-11 - LDAP error:
>> Connect error]
>>
>> [error] RuntimeError: Failed to start replication
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to
>> start replication
>>
>>
>> Looking at the setup log in /var/log/ipareplica-install.log:
>>
>> 2016-03-22T08:49:22Z DEBUG retrieving schema for SchemaCache
>> url=ldap://ipa2.cs.ru.is:389 conn=<ldap.ldapobject.SimpleLDAPObject
>> instan\
>> ce at 0x8cfc908>
>> 2016-03-22T08:49:23Z DEBUG Successfully updated nsDS5ReplicaId.
>> 2016-03-22T08:49:23Z DEBUG flushing ldaps://ipa.cs.ru.is:636 from
>> SchemaCache
>> 2016-03-22T08:49:23Z DEBUG retrieving schema for SchemaCache
>> url=ldaps://ipa.cs.ru.is:636 conn=<ldap.ldapobject.SimpleLDAPObject
>> instan\
>> ce at 0x8a01830>
>> 2016-03-22T08:49:24Z DEBUG Traceback (most recent call last):
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 418, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 408, in run_step
>> method()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>> 377, in __setup_replica
>> r_bindpw=self.dm_password)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 1014, in setup_replication
>> raise RuntimeError("Failed to start replication")
>> RuntimeError: Failed to start replication
>>
>> 2016-03-22T08:49:24Z DEBUG [error] RuntimeError: Failed to start
>> replication
>> 2016-03-22T08:49:24Z DEBUG Destroyed connection context.ldap2_102284432
>> 2016-03-22T08:49:24Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>> execute
>> return_value = self.run()
>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
>>line
>> 311, in run
>> cfgr.run()
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 281, in run
>> self.execute()
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 303, in execute
>> for nothing in self._executor():
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 343, in __runner
>> self._handle_exception(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 365, in _handle_exception
>> util.raise_exc_info(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 333, in __runner
>> step()
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 87, in run_generator_with_yield_from
>> raise_exc_info(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 65, in run_generator_with_yield_from
>> value = gen.send(prev_value)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 524, in _configure
>> executor.next()
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 343, in __runner
>> self._handle_exception(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 421, in _handle_exception
>> self.__parent._handle_exception(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 365, in _handle_exception
>> util.raise_exc_info(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 418, in _handle_exception
>> super(ComponentBase, self)._handle_exception(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 365, in _handle_exception
>> util.raise_exc_info(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 333, in __runner
>> step()
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 87, in run_generator_with_yield_from
>> raise_exc_info(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 65, in run_generator_with_yield_from
>> value = gen.send(prev_value)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>> line 63, in _install
>> for nothing in self._installer(self.parent):
>> File
>>
>>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall
>>.py", line 879, in main
>> install(self)
>> File
>>
>>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall
>>.py", line 295, in decorated
>> func(installer)
>> File
>>
>>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall
>>.py", line 566, in install
>> ds = install_replica_ds(config)
>>
>> File
>>
>>"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall
>>.py", line 77, in install_replica_ds
>> ca_file=config.dir + "/ca.crt",
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>> 364, in create_replica
>> self.start_creation(runtime=60)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 418, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 408, in run_step
>> method()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>> 377, in __setup_replica
>> r_bindpw=self.dm_password)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 1014, in setup_replication
>> raise RuntimeError("Failed to start replication")
>>
>> 2016-03-22T08:49:24Z DEBUG The ipa-replica-install command failed,
>> exception: RuntimeError: Failed to start replication
>> 2016-03-22T08:49:24Z ERROR Failed to start replication
>>
>> On Mon, 2016-03-21 at 15:47 -0400, Rob Crittenden wrote:
>>> Joseph Timothy Foley wrote:
>>>> I just discovered that the certificate on ipa2.cs.ru.is is good to
>>>>August,
>>>> so I have a little bit of breathing room. That said, the ipa.cs.ru.is
>>>> certificate will expire on March 23, so I need to update it.
>>>
>>> The process to get a new cert is pretty much the same as you obtained
>>> the original assuming you kept the original CSR. You'd re-submit that
>>>to
>>> StartSSL and they will provide a new certificate in PEM format.
>>>
>>> Add that to the relevant database via:
>>>
>>> # certutil -A -n "Server-Cert" -d /path/to/db -t u,u,u -a -i /path/to
>>> cert.pem
>>>
>>> I can't give much more specific information without knowing if you are,
>>> for example, using the came cert/key for both 389-ds and Apache.
>>>
>>> rob
>>>
>>>> --
>>>> Dr. Joseph T. Foley <foley at ru.is> Assistant Professor, Reykjavik
>>>> University +354-599-6569
>>>>
>>>>
>>>>
>>>> On 3/21/16 6:27 PM, "Joseph Timothy Foley" <foley at ru.is> wrote:
>>>>
>>>>> Hi there.
>>>>> I setup an IPA4.2.0 on RHEL7 service for our CS department on
>>>>> ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is
>>>>> I used StartSSL to sign our certificate for HTTP and LDAP usage
>>>>>because I
>>>>> didn't want our users to deal with the internal CA nor could we get
>>>>>the CA
>>>>> certificate signed. Problem is, I can't find any information on how
>>>>>to
>>>>> get the new certificates installed on the running IPA server. They
>>>>>expire
>>>>> in 2 days, so I'm running out of time. Any help would be greatly
>>>>> appreciated.
>>>>>
>>>>> I can only find information on how to setup these certificates on a
>>>>>brand
>>>>> new IPA or replicant. There isn't any obvious information on how to
>>>>>put
>>>>> updated certificates into a running instance.
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>> Joe
>>>>> --
>>>>> Dr. Joseph T. Foley <foley at ru.is> Assistant Professor, Reykjavik
>>>>> University +354-599-6569
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>>
>>>
>>
>
More information about the Freeipa-users
mailing list