Hello
I have this very old installation:
389-ds-1.1.3-5.fc12.noarch 389-ds-console-doc-1.2.0-5.fc12.noarch 389-ds-base-1.2.5-1.fc12.i686 389-ds-console-1.2.0-5.fc12.noarch 389-console-1.1.3-5.fc12.noarch 389-admin-console-1.1.4-2.fc12.noarch 389-dsgw-1.1.4-1.fc12.i686 389-admin-console-doc-1.1.4-2.fc12.noarch 389-adminutil-1.1.8-4.fc12.i686 389-admin-1.1.10-1.fc12.i686
into an old FC12.
Now certs under /etc/httpd/alias are expired
Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=Certificate Shack,O=example.com,C=US" Validity: Not Before: Mon Mar 01 10:50:54 2010 Not After : Sat Mar 01 10:50:54 2014 Subject: "CN=localhost4.localdomain4,O=example.com,C=US"
and I have this error into log: [error] SSL Library Error: -8181 Certificate has expired
the it suggests to " Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the prob lem can be resolved." I did, and it works. Now I wonder how can I renew that expired cert.
I have googled around but I have not found any simple to re-create the cert. I find this http://directory.fedoraproject.org/wiki/Howto:SSL
but it is not so easy to regenerate an expired certificate.
Is there something simpler? Can you help me?
My best rgards
Maurizio
Hi,
I have done this (do not take it as good example - best would be IF you can test it somehow... in any case, do full backup of /etc/dirsrv/${INSTANCE} directory once your LDAP server is down, so at least you can revert changes).
Use this at your own risk (unless someone confirms procedure, because it might be that I didn't updated docs completely) !!!
Next steps assume that you can take superuser role and use it!
$ cd /etc/dirsrv/ $ INSTANCE=$(ls -1d slapd-*) $ cd ${INSTANCE}
# Check for existing certificate(s) and remove ALL expired $ certutil -L -d . # this will list those, and you can delete with:
$ certutil -D -d . -n <cert1> $ certutil -D -d . -n <cert2> # ... etc
# Create p12 of new certificate (use password for p12 export) and import p12 using combination of pin and p12 export password: $ cat pin.txt $ openssl pkcs12 -export -inkey /tmp/newcert.key -in /tmp/newcert.crt -out /tmp/newcert.p12 -nodes -name newCertLDAPname $ pk12util -i /tmp/newcert.p12 -d .
# Import CA bundle too: $ certutil -d $(pwd) -A -n "newCertLDAPnameCA" -t CT,, -a -i /tmp/newcert.ca-bundle
# Restart instance (redhat style): $ service dirsrv restart
As I have mentioned earlier, would be nice if you can test this 1st. Regards.
On 03/11/14 12:30 PM, Maurizio Marini wrote:
Hello
I have this very old installation:
389-ds-1.1.3-5.fc12.noarch 389-ds-console-doc-1.2.0-5.fc12.noarch 389-ds-base-1.2.5-1.fc12.i686 389-ds-console-1.2.0-5.fc12.noarch 389-console-1.1.3-5.fc12.noarch 389-admin-console-1.1.4-2.fc12.noarch 389-dsgw-1.1.4-1.fc12.i686 389-admin-console-doc-1.1.4-2.fc12.noarch 389-adminutil-1.1.8-4.fc12.i686 389-admin-1.1.10-1.fc12.i686
into an old FC12.
Now certs under /etc/httpd/alias are expired
Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=Certificate Shack,O=example.com,C=US" Validity: Not Before: Mon Mar 01 10:50:54 2010 Not After : Sat Mar 01 10:50:54 2014 Subject: "CN=localhost4.localdomain4,O=example.com,C=US"
and I have this error into log: [error] SSL Library Error: -8181 Certificate has expired
the it suggests to " Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the prob lem can be resolved." I did, and it works. Now I wonder how can I renew that expired cert.
I have googled around but I have not found any simple to re-create the cert. I find this http://directory.fedoraproject.org/wiki/Howto:SSL
but it is not so easy to regenerate an expired certificate.
Is there something simpler? Can you help me?
My best rgards
Maurizio
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Maurizio Marini wrote:
Hello
I have this very old installation:
389-ds-1.1.3-5.fc12.noarch 389-ds-console-doc-1.2.0-5.fc12.noarch 389-ds-base-1.2.5-1.fc12.i686 389-ds-console-1.2.0-5.fc12.noarch 389-console-1.1.3-5.fc12.noarch 389-admin-console-1.1.4-2.fc12.noarch 389-dsgw-1.1.4-1.fc12.i686 389-admin-console-doc-1.1.4-2.fc12.noarch 389-adminutil-1.1.8-4.fc12.i686 389-admin-1.1.10-1.fc12.i686
into an old FC12.
Now certs under /etc/httpd/alias are expired
Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=Certificate Shack,O=example.com,C=US" Validity: Not Before: Mon Mar 01 10:50:54 2010 Not After : Sat Mar 01 10:50:54 2014 Subject: "CN=localhost4.localdomain4,O=example.com,C=US"
and I have this error into log: [error] SSL Library Error: -8181 Certificate has expired
the it suggests to " Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the prob lem can be resolved." I did, and it works. Now I wonder how can I renew that expired cert.
I have googled around but I have not found any simple to re-create the cert. I find this http://directory.fedoraproject.org/wiki/Howto:SSL
but it is not so easy to regenerate an expired certificate.
Is there something simpler? Can you help me?
It very much depends on where the original certificate came from. Where did it come from originally? Do you have a CA somewhere?
It also depends on whether you want to retain the same private key.
rob
389-users@lists.fedoraproject.org
-
Maurizio Marini -
Predrag Zečević - Technical Support Analyst -
Rob Crittenden