[Freeipa-users] 3rd party Cert install now IPA total broken

Florence Blanc-Renaud flo at redhat.com
Wed Sep 21 07:04:50 UTC 2016 

On 09/20/2016 02:15 PM, Günther J. Niederwimmer wrote:
> Hello.
>
> Thanks for the first help,
>
> Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud:
>> On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:
>>> Hello,
>>> Freeipa 4.3.1
>>>
>>> I have now install a 3rd Party Certificat from Startcom now my IPA is
>>> total
>>> broken?
>
>>> ipa-cacert-manage -p 'xxxxxxxxxxxxxxxx' -n STARTCOM-ROOT -t C,, install
>>> root.crt
>
> I mean this is the wrong cert I installed :-(.
>
> Is it possible to overwrite or delete and make it new. this file is the ROOT-CA
> from STARTCOM ("30 Years")
>
Hi,

ipa-cacert-manage install *adds* the CA certificate to the list of CA 
certs (it does not replace the CA cert), meaning that it can be run 
multiple times with different certificates. After this step, you can 
find all your CA certificates in the ldap server, below 
cn=certificates,cn=ipa,cn=etc,$BASEDN

So in your case, you can re-run this command, this time with the right 
CA cert. Then do not forget to run ipa-certupdate on all the ipa 
replicas/clients in order to install the new CA cert on the relevant NSS 
databases. It is important to run ipa-certupdate before IPA services are 
restarted with the new certs (otherwise ipa-certupdate cannot contact 
the LDAP server to download the new certificates).

If you forgot to run ipa-certupdate on the clients, I guess you can fix 
this by installing the new CA cert in /etc/ipa/nssdb with C,, flags.

HTH,
Flo

>>> ipa-certupdate
>>>
>>> ipa-server-certinstall -w -d ipa_3rd_ca.p12
>
> This was wrong, I delete all this installed certs with
> Certutil -d . -D -n xxxxxxx
>
>>> I create this p12 with key.pem, cert.pem root.crt
>
> now i create a new p12 with I hope the correct certs
>
> I become from Startcom a httpd zip file with 1_root_bundle.crt ("15 Years")and
> my wild-card Certificate this I included in my new created p12 with my key.pem.
>
> This p12 I Installed on the first master with
>
> pk12util -v -i ipa_4gjn_ca.p12 -d /etc/httpd/alias -k
> /etc/httpd/alias/pwdfile.txt -W xxxxxxxx
>
> pk12util -v -i ipa_4gjn_ca.p12 -d /etc/dirsrv/slapd-4GJN-COM -k
> /etc/dirsrv/slapd-4GJN-COM/pwdfile.txt -W xxxxxxx
> and
> pk12util -v -i ipa_4gjn_ca.p12 -d /var/lib/pki/pki-tomcat/alias -k
> /etc/pki/pki-tomcat/pwdfile.txt -W xxxxxxxxx
>
> I change the nss.conf and I hope the correct file in /etc/dirsrv/slapd-
> XXXX/dsl.ldif
>
> Then I change in all NSS DB the StartCOM Cert (1_root_bundle.crt) with name
> STARTCOM-ROOT to
> certutil -d . -M -t C,, -n STARCOM-ROOT
>
>
> afterward I make a reboot and a test
> ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-ods-exporter Service: STOPPED
> ods-enforcerd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> Why is ipa-ods-exporter Service always STOPPED ??
>
> The next I Test a login on the Web UI from IPA, this is now also working ;-)
>
>
> the QUESTION is now what is with the second master and the IPA- clients
> Now (?) I have also found the ipa-backup ;-) OK, for the next Problem now I
> know it :-).
>
> Have I to repeat this all on the second Master ?
>
> and what is the correct way to inform the clients ?
>
> Thanks again for a answer,
>
>> Hi,
>>
>> there were some issues with ipa-server-certinstall (see tickets #4785,
>> #4786 and #6263).
>> In order to check your configuration, you must make sure that the NSS
>> DBs for Apache and the LDAP server (/etc/httpd/alias,
>> /var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain:
>> - the server certificate with flags u,u,u (= the one contained in
>> ipa_3rd_ca.p12)
>> - the certificate of the CA which signed the server certificate, with
>> flags C,, (= the one contained in root.rt)
>>
>> Then you can also check if the nickname for the server cert is properly
>> set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in
>> the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute
>> nsSSLPersonalitySSL).
>>
>> If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may
>> provide more information.
>>
>> Also note that it is important to run ipa-certupdate on all the clients
>> and replicas in order to install the new certificates in the NSS DBs
>> *before* you run ipa-server-certinstall.
>>
>> Hope this helps,
>> Flo.
>>
>>> the kerberos don't start anymore ?
>>> The Error Is
>>>
>>>  Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for
>>>  realm>
>>> '4GJN.COM'
>>>
>>> after insert in nss.conf
>>> "NSSEnforceValidCerts off"
>>>
>>> ipactl restart  is starting (?) but
>>>
>>> ipactl status tell me
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> named Service: RUNNING
>>> ipa_memcached Service: RUNNING
>>> httpd Service: RUNNING
>>> ipa-custodia Service: RUNNING
>>> pki-tomcatd Service: RUNNING
>>> ipa-otpd Service: RUNNING
>>> ipa-ods-exporter Service: STOPPED
>>> ods-enforcerd Service: RUNNING
>>> ipa-dnskeysyncd Service: RUNNING
>>> ipa: INFO: The ipactl command was successful
>>>
>>> with certutil -d /etc/httpd/alias -L I have now this
>>> Certificate Nickname                                         Trust
>>> Attributes>
>>>                                                              SSL,S/MIME,JA
>>>                                                              R/XPI
>>>
>>> Signing-Cert                                                 u,u,u
>>> 4GJN_CA_FILE                                                 u,u,u
>>> ipaCert                                                      u,u,u
>>> 4GJN.COM IPA CA                                              CT,C,C
>>> STARTCOM-ROOT                                                C,,
>>>
>>> I can  Insert in nss.conf by the
>>> #NSSNickname "Signing-Cert" original
>>> or
>>> NSSNickname 4GJN_CA_FILE but all is now broken ?
>>>
>>> I also add this, found in Bugzilla
>>>
>>>  certutil -d /var/lib/pki/pki-tomcat/alias -L
>>>
>>> Certificate Nickname                                         Trust
>>> Attributes>
>>>                                                              SSL,S/MIME,JA
>>>                                                              R/XPI
>>>
>>> ocspSigningCert cert-pki-ca                                  u,u,u
>>> subsystemCert cert-pki-ca                                    u,u,u
>>> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
>>> Server-Cert cert-pki-ca                                      u,u,u
>>> auditSigningCert cert-pki-ca                                 u,u,Pu
>>> STARTCOM-ROOT                                                CT,,
>>>
>>> this is created in the
>>>
>>> certutil -d /etc/dirsrv/slapd-4GJN.COM -L
>>>
>>> Certificate Nickname                                         Trust
>>> Attributes>
>>>                                                              SSL,S/MIME,JA
>>>                                                              R/XPI
>>>
>>> 4GJN_CA_FILE                                                 u,u,u
>>> 4GJN.COM IPA CA                                              CT,C,C
>>> STARTCOM-ROOT                                                C,,
>>>
>>> Can any help a little, please ;-)
>>>
>>> The bad Problem, I tested this with my master server with DNS / DNSSEC I
>>> can't new install (DNSSEC Keys)
>

More information about the Freeipa-users mailing list