[Freeipa-users] Renewing an externally signed HTTP/LDAP certificate
Rob Crittenden
rcritten at redhat.com
Wed Mar 23 02:48:36 UTC 2016
Joseph Timothy Foley wrote:
> Hi Rob.
> You are right that I should be able to just update it on our second
> server. What happened was I was trying to see if the certificate would
> work on the install process since I couldn't figure out the renewal.
> This did not work, which is why I just sent out an update of my new LDAP
> error.
> If I understand you correctly, I somehow need to add the new trust chain
> to both sides. How would I go about doing that?
The cert I just got from StartSSL came as a zip file containing a bunch
of zip files. One was something like ApacheSomething.zip which contained
two PEM files: the intermediate CA and the server cert.
Using 389-ds as an example, you'd do something like to add the new
server certificate:
# certutil -A -n Server-Cert -d /etc/dirsrv/slapd-REALM -t u,u,u -a -i
/path/to/2_my.domain.crt
To add the intermediate CA:
# certutil -A -n "StartCom Class 1 DV Server CA" -d
/etc/dirsrv/slapd-REALM -t CT,CT, -a -i /path/to/1_root_bundle.crt
The nickname may vary. This is the subject of the intermediate that
issued my cert as an example. You can do something like:
# openssl x509 -text -in /path/to/1_root_bundle.crt |grep Subject
And use that as inspiration for the nickname. It just needs to be a
unique string, but using something relevant is often helpful (e.g. you
can use foo but will you know what that is next year).
Verify that the updated cert works:
# certutil -V -u V -d /etc/dirsrv/slapd-REALM -n Server-Cert
certutil: certificate is valid
Restart the dirsrv process to pick up the new cert.
rob
>
> Joe
> --
> Dr. Joseph T. Foley <foley at ru.is> Assistant Professor, Reykjavik
> University +354-599-6569
>
>
>
>
>
> On 3/22/16 1:44 PM, "Rob Crittenden" <rcritten at redhat.com> wrote:
>
>> Joseph Timothy Foley wrote:
>>> Hi Rob.
>>>
>>> To add to this mess, I seem to have somehow confused the LDAP
>>> certificate configuration in the process of setting up a replicant
>>> (ipa.cs.ru.is) with my new StartSSL (personal) certificate. The
>>> previous certificate was a corporate Level2 certificate. Trying to use
>>> the old certificate (which expires tomorrow) doesn't seem to put it back
>>> in working order.
>>
>> I thought you just needed to update the certificate. Why are you
>> creating a new replica?
>>
>> My own StartSSL Server cert expires in a month and I just renewed it
>> this morning. They have a new subordinate CA, that might be part of the
>> problem (both sides need to trust it). I'd look in the access log of the
>> remote 389-ds server to see what error it threw (and the local one too I
>> suppose).
>>
>> But really, you should be able to replace the certs using certutil, not
>> re-install the whole thing.
>>
>> rob
>>
>>
>>> This is what I did to make the pkcs file:
>>>
>>> cp ipa.cs.ru.is.crt ipa.cs.ru.is-bundle.crt
>>> cat certs/ca-bundle.crt >> ipa.cs.ru.is-bundle.crt (the ca-bundle is
>>> the root_bundle.crt they now send you in a zip file)
>>>
>>> openssl pkcs12 -export -in ipa.cs.ru.is-bundle.crt -inkey
>>> private/ipa.cs.ru.is.key -out ipa.cs.ru.is.p12 -name ipa.cs.ru.is
>>>
>>> ipa-replica-prepare --http-cert-file ipa.cs.ru.is.p12 --http-pin XXXXX
>>> --dirsrv-cert-file ipa.cs.ru.is.p12 --dirsrv-pin XXXXX ipa.cs.ru.is
>>>
>>> Then copied it to ipa.cs.ru.is and ran
>>> ipa-replica-install --mkhomedir replica-info-ipa.cs.ru.is.gpg
>>>
>>> Everything looks fine until:
>>> [24/38]: setting up initial replication
>>> Starting replication, please wait until this has completed.
>>>
>>> [ipa2.cs.ru.is] reports: Update failed! Status: [-11 - LDAP error:
>>> Connect error]
>>>
>>> [error] RuntimeError: Failed to start replication
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to
>>> start replication
>>>
>>>
>>> Looking at the setup log in /var/log/ipareplica-install.log:
>>>
>>> 2016-03-22T08:49:22Z DEBUG retrieving schema for SchemaCache
>>> url=ldap://ipa2.cs.ru.is:389 conn=<ldap.ldapobject.SimpleLDAPObject
>>> instan\
>>> ce at 0x8cfc908>
>>> 2016-03-22T08:49:23Z DEBUG Successfully updated nsDS5ReplicaId.
>>> 2016-03-22T08:49:23Z DEBUG flushing ldaps://ipa.cs.ru.is:636 from
>>> SchemaCache
>>> 2016-03-22T08:49:23Z DEBUG retrieving schema for SchemaCache
>>> url=ldaps://ipa.cs.ru.is:636 conn=<ldap.ldapobject.SimpleLDAPObject
>>> instan\
>>> ce at 0x8a01830>
>>> 2016-03-22T08:49:24Z DEBUG Traceback (most recent call last):
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 418, in start_creation
>>> run_step(full_msg, method)
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 408, in run_step
>>> method()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>>> 377, in __setup_replica
>>> r_bindpw=self.dm_password)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>> line 1014, in setup_replication
>>> raise RuntimeError("Failed to start replication")
>>> RuntimeError: Failed to start replication
>>>
>>> 2016-03-22T08:49:24Z DEBUG [error] RuntimeError: Failed to start
>>> replication
>>> 2016-03-22T08:49:24Z DEBUG Destroyed connection context.ldap2_102284432
>>> 2016-03-22T08:49:24Z DEBUG File
>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>>> execute
>>> return_value = self.run()
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
>>> line
>>> 311, in run
>>> cfgr.run()
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 281, in run
>>> self.execute()
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 303, in execute
>>> for nothing in self._executor():
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 343, in __runner
>>> self._handle_exception(exc_info)
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 365, in _handle_exception
>>> util.raise_exc_info(exc_info)
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 333, in __runner
>>> step()
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>> line 87, in run_generator_with_yield_from
>>> raise_exc_info(exc_info)
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>> line 65, in run_generator_with_yield_from
>>> value = gen.send(prev_value)
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 524, in _configure
>>> executor.next()
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 343, in __runner
>>> self._handle_exception(exc_info)
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 421, in _handle_exception
>>> self.__parent._handle_exception(exc_info)
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 365, in _handle_exception
>>> util.raise_exc_info(exc_info)
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 418, in _handle_exception
>>> super(ComponentBase, self)._handle_exception(exc_info)
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 365, in _handle_exception
>>> util.raise_exc_info(exc_info)
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>>> line 333, in __runner
>>> step()
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>> line 87, in run_generator_with_yield_from
>>> raise_exc_info(exc_info)
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>>> line 65, in run_generator_with_yield_from
>>> value = gen.send(prev_value)
>>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>>> line 63, in _install
>>> for nothing in self._installer(self.parent):
>>> File
>>>
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall
>>> .py", line 879, in main
>>> install(self)
>>> File
>>>
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall
>>> .py", line 295, in decorated
>>> func(installer)
>>> File
>>>
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall
>>> .py", line 566, in install
>>> ds = install_replica_ds(config)
>>>
>>> File
>>>
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall
>>> .py", line 77, in install_replica_ds
>>> ca_file=config.dir + "/ca.crt",
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>>> 364, in create_replica
>>> self.start_creation(runtime=60)
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 418, in start_creation
>>> run_step(full_msg, method)
>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 408, in run_step
>>> method()
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
>>> 377, in __setup_replica
>>> r_bindpw=self.dm_password)
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>>> line 1014, in setup_replication
>>> raise RuntimeError("Failed to start replication")
>>>
>>> 2016-03-22T08:49:24Z DEBUG The ipa-replica-install command failed,
>>> exception: RuntimeError: Failed to start replication
>>> 2016-03-22T08:49:24Z ERROR Failed to start replication
>>>
>>> On Mon, 2016-03-21 at 15:47 -0400, Rob Crittenden wrote:
>>>> Joseph Timothy Foley wrote:
>>>>> I just discovered that the certificate on ipa2.cs.ru.is is good to
>>>>> August,
>>>>> so I have a little bit of breathing room. That said, the ipa.cs.ru.is
>>>>> certificate will expire on March 23, so I need to update it.
>>>>
>>>> The process to get a new cert is pretty much the same as you obtained
>>>> the original assuming you kept the original CSR. You'd re-submit that
>>>> to
>>>> StartSSL and they will provide a new certificate in PEM format.
>>>>
>>>> Add that to the relevant database via:
>>>>
>>>> # certutil -A -n "Server-Cert" -d /path/to/db -t u,u,u -a -i /path/to
>>>> cert.pem
>>>>
>>>> I can't give much more specific information without knowing if you are,
>>>> for example, using the came cert/key for both 389-ds and Apache.
>>>>
>>>> rob
>>>>
>>>>> --
>>>>> Dr. Joseph T. Foley <foley at ru.is> Assistant Professor, Reykjavik
>>>>> University +354-599-6569
>>>>>
>>>>>
>>>>>
>>>>> On 3/21/16 6:27 PM, "Joseph Timothy Foley" <foley at ru.is> wrote:
>>>>>
>>>>>> Hi there.
>>>>>> I setup an IPA4.2.0 on RHEL7 service for our CS department on
>>>>>> ipa.cs.ru.is(temporarily down) and ipa2.cs.ru.is
>>>>>> I used StartSSL to sign our certificate for HTTP and LDAP usage
>>>>>> because I
>>>>>> didn't want our users to deal with the internal CA nor could we get
>>>>>> the CA
>>>>>> certificate signed. Problem is, I can't find any information on how
>>>>>> to
>>>>>> get the new certificates installed on the running IPA server. They
>>>>>> expire
>>>>>> in 2 days, so I'm running out of time. Any help would be greatly
>>>>>> appreciated.
>>>>>>
>>>>>> I can only find information on how to setup these certificates on a
>>>>>> brand
>>>>>> new IPA or replicant. There isn't any obvious information on how to
>>>>>> put
>>>>>> updated certificates into a running instance.
>>>>>>
>>>>>> Thanks in advance.
>>>>>>
>>>>>> Joe
>>>>>> --
>>>>>> Dr. Joseph T. Foley <foley at ru.is> Assistant Professor, Reykjavik
>>>>>> University +354-599-6569
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the Freeipa-users
mailing list