I changed the date two months ago. I followed the instructions here: https://rcritten.wordpress.com/ but there were no results.

ipa cert-show show me : ipa: ERROR: cannot connect to 'https://users.EXAMPLE-TEST/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

It is possible to put a certificate of letsencrypt ?

Regards.

On Wed, May 8, 2019 at 8:41 AM Rob Crittenden <rcritten@redhat.com> wrote:

Adrian HY via FreeIPA-users wrote:
>
> Rob, something did not work. These are the results (I hide some variables):
>
> 1.) # ipa-getcert list -d /etc/httpd/alias -n Server-Cert
>
> Number of certificates and requests being tracked: 9. Request ID
> '20180405040333': status: CA_UNREACHABLE ca-error: Server at
> https://URL/ipa/xml failed request, will retry: 907 (RPC failed at
> server. cannot connect to 'https://URL:443/ca/rest/account/login': [SSL:
> SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1822)). stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' CA: IPA
> issuer: subject: expires: unknown pre-save command: post-save command:
> /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes

I think this means there was an existing cert being tracked even though
it had been replaced.

So let's start at the beginning. What did you do?

Was the CA working prior to you doing anything (ipa cert-show)?

rob

> 2.) # ipa-getcert list -d /etc/dirsrv/slapd-EXAMPLE-TEST -n Server-Cert
>
> Request ID '20170530221007': status: CA_UNCONFIGURED ca-error: Unable to
> determine principal name for signing request. stuck: yes key pair
> storage: type=NSSDB,location='/etc/dirsrv/slapd-
> EXAMPLE-TEST  ',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd- EXAMPLE-TEST  /pwdfile.txt' certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-TEST',nickname='Server-Cert'
> CA: IPA issuer: subject: expires: unknown pre-save command: post-save
> command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-TEST  track:
> yes auto-renew: yes
>
> 3.) When I execute ipactl start, the output is:
>
> Starting Directory Service
> Failed to start Directory Service: Command '/bin/systemctl start
> dirsrv@EXAMPLE-TEST.service' returned non-zero exit status 1
>
> These are some logs:
>
> [05/Apr/2018:00:18:58.885890449 -0400] - INFO - slapd_extract_cert - CA
> CERT NAME: DSTRootCAX3
> [05/Apr/2018:00:18:58.888428555 -0400] - INFO - slapd_extract_cert - CA
> CERT NAME: EXAMPLE-TEST  IPA CA
> [05/Apr/2018:00:18:58.896375172 -0400] - INFO - slapd_extract_cert - CA
> CERT NAME: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US
> [05/Apr/2018:00:18:58.897587438 -0400] - INFO - slapd_extract_cert - CA
> CERT NAME: EXAMPLE-TEST  IPA CA
> [05/Apr/2018:00:18:58.898932056 -0400] - INFO - slapd_extract_cert - CA
> CERT NAME: EXAMPLE-TEST  IPA CA
> [05/Apr/2018:00:18:58.901702162 -0400] - WARN - Security Initialization
> - SSL alert: Sending pin request to SVRCore. You may need to run
> systemd-tty-ask-password-agent to provide the password.
> [05/Apr/2018:00:18:58.951537472 -0400] - ERR - extractRSAKeysAndSubject
> - Failed extract cert with Server-Cert, (-8174-security library: bad
> database., 0).
> [05/Apr/2018:00:18:58.952925282 -0400] - ERR - slapd_extract_key -
> Failed to extract keys for Server-Cert.
>
> [05/Apr/2018:00:18:58.994602707 -0400] - WARN - Security Initialization
> - SSL alert: Can't find certificate (Server-Cert) for family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
> security library: bad database.)
> [05/Apr/2018:00:18:58.996564966 -0400] - WARN - Security Initialization
> - SSL alert: Unable to retrieve private key for cert Server-Cert of
> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
> -8174 - security library: bad database.)
> [05/Apr/2018:00:18:58.997430419 -0400] - ERR - Security Initialization -
> SSL failure: None of the cipher are valid
> [05/Apr/2018:00:18:58.998238937 -0400] - ERR - force_to_disable_security
> - ERROR: SSL2 Initialization Failed. Disabling SSL2.
> [05/Apr/2018:00:19:03.321481021 -0400] - ERR -
> attrcrypt_fetch_private_key - Can't find certificate Server-Cert: -8174
> - security library: bad database. [05/Apr/2018:00:19:03.325672778 -0400]
> - ERR - attrcrypt_fetch_private_key - Can't get private key from cert
> Server-Cert: -8174 - security library: bad database.
> [05/Apr/2018:00:19:03.333172213 -0400] - ERR - dblayer_instance_start -
> Unable to initialize attrcrypt system for userRoot
> [05/Apr/2018:00:19:03.334020816 -0400] - ERR -
> attrcrypt_fetch_private_key - Can't find certificate Server-Cert: -8174
> - security library: bad database. [05/Apr/2018:00:19:03.335482273 -0400]
> - ERR - attrcrypt_fetch_private_key - Can't get private key from cert
> Server-Cert: -8174 - security library: bad database.
> [05/Apr/2018:00:19:03.336284805 -0400] - ERR - dblayer_instance_start -
> Unable to initialize attrcrypt system for ipaca
> [05/Apr/2018:00:19:03.338113885 -0400] - ERR -
> attrcrypt_fetch_private_key - Can't find certificate Server-Cert: -8174
> - security library: bad database. [05/Apr/2018:00:19:03.338954812 -0400]
> - ERR - attrcrypt_fetch_private_key - Can't get private key from cert
> Server-Cert: -8174 - security library: bad database.
> [05/Apr/2018:00:19:03.339889253 -0400] - ERR - dblayer_instance_start -
> Unable to initialize attrcrypt system for changelog
> [05/Apr/2018:00:19:03.341542720 -0400] - ERR - ldbm_back_start - Failed
> to start databases, err=-1 BDB0092 Unknown error: -1
> [05/Apr/2018:00:19:03.342340539 -0400] - ERR - ldbm_back_start - Failed
> to allocate 261825363 byte dbcache. Please reduce the value of
> nsslapd-cache-autosize and restart the server.
> [05/Apr/2018:00:19:03.343291924 -0400] - ERR -
> plugin_dependency_startall - Failed to start database plugin ldbm
> database [05/Apr/2018:00:19:03.345030921 -0400] - ERR -
> schema-compat-plugin - scheduled schema-compat-plugin tree scan in about
> 5 seconds after the server startup! [05/Apr/2018:00:19:03.348707349
> -0400] - WARN - ldbm_instance_add_instance_entry_callback - ldbm
> instance userRoot already exists [05/Apr/2018:00:19:03.349536617 -0400]
> - ERR - ldbm_config_read_instance_entries - Failed to add instance entry
> cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> [05/Apr/2018:00:19:03.350296961 -0400] - ERR - ldbm_config_load_dse_info
> - failed to read instance entries [05/Apr/2018:00:19:03.351984088 -0400]
> - ERR - ldbm_back_start - Loading database configuration failed
>
> The problem continues...
>
>
> On Mon, May 6, 2019 at 10:52 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Adrian HY wrote:
> > Rob, thanks for your response.
> >
> > The output of both commands is:
> >
> > certutil: could not find certificate named "Server-Cert":
> > PR_FILE_NOT_FOUND_ERROR: File not found
> >
> > Any suggestions?
>
> I guess we do a bit of cleanup when replacing the certs. Not a big deal.
>
> So I wrote up instructions on how to do this but it assumes your CA is
> up and functioning and I'm not 100% sure that is the case. If your 3rd
> party certs are expired that would explain it. What I'd suggest is use
> getcert list |grep expires and then look at the web and LDAP certs to
> see when there is a time when all the certs are valid. Then I'd kill
> ntpd and use date to go back in time. Manually restart the IPA services
> (ipactl will restart ntpd and might reset the date unless it throws its
> hands up because it's too far out-of-whack).
>
> Confirm that the CA works using something like: ipa cert-show 1
>
> IF you get any response back other than 503, like cert not found or a
> display then things are working.
>
> Then you can follow
> https://wordpress.com/post/rcritten.wordpress.com/190
>
> Then bring back the date to today and restart ntpd.
>
> Note that this won't remove the 3rd party certs or do any other sort of
> cleanup. It might be considered a bit messy I suppose but those certs
> shouldn't hurt anything. If you really want to clean them up once you're
> sure things are functioning you can use certutil to remove them (after
> backing up of course).
>
> rob
>
> >
> > Thanks
> >
> > On Mon, May 6, 2019 at 3:54 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
> >
> > Adrian HY via FreeIPA-users wrote:
> > > Exactly, I ran ipa-server-certinstall and replaced both of
> the Apache
> > > and 389-ds certificates. I buy the certificate but I can't
> renew it.
> > >
> > > I imported the certificates like this:
> > >
> > > Root Certificate:
> > >
> > > ipa-cacert-manage -n Godaddy -p PASS_DIRECTORY_MANAGER -t CT,,
> > install *gdroot-g2.crt*
> > > ipa-certupdate
> > >
> > > Intermediate certificates:
> > >
> > > ipa-cacert-manage -n Godaddy2 -p PASS_DIRECTORY_MANAGER -t CT,,
> > install *gd_bundle-g2-g1.crt 4dfc653ab0cf823d.crt*
> > > ipa-certupdate
> > >
> > > Finally, the certificate:
> > >
> > > ipa-server-certinstall --dirman-password=PASS_DIRECTORY_MANAGER
> > --pin=PASS_CERTIFICATE -w -d *cert.key gd_bundle-g2-g1.crt
> > 4dfc653ab0cf823d.crt* --cert-name=Godaddy2
> > >
> > >
> > > My IPA version is 4.6.4, OS CentOS 7.6.
> >
> > This is an absolutely perfect response to my question, thank
> you very
> > much :-)
> >
> > Ok, so chances seem good that the original certs are still
> available.
> > Whether they are still valid is another question, they too
> could be
> > expired, but let's start there.
> >
> > To check the certs and see if they are valid run:
> >
> > # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
> > certutil: certificate is valid
> >
> > # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-TEST -n
> Server-Cert
> > certutil: certificate is valid
> >
> > If you're lucky both are still valid (I'm mostly concerned
> that they are
> > expired).
> >
> > If they are valid then you can manually edit
> /etc/httpd/conf.d/nss.conf
> > and find the NSSNickname line. Set the value to Server-Cert.
> That will
> > fix Apache.
> >
> > To fix 389-ds you'll need to use an ldapmodify:
> >
> > # ldapmodify -x -D 'cn=directory manager' -W
> > <password prompt>
> > dn: cn=RSA,cn=encryption,cn=config
> > changetype: modify
> > replace: nsSSLPersonalitySSL
> > nsSSLPersonalitySSL: Server-Cert
> > <a blank line>
> > ^D
> >
> > Run ipactl restart to restart the world and you should be back in
> > business.
> >
> > On the other hand if the certs are expired there will be a bit
> more
> > digging around. Let's hope for best case scenario and tackle
> the other
> > bit if we have to.
> >
> > rob
> >
> >
> > >
> > > Thanks.
> > >
> > >
> > >
> > >
> > >
> > > On Mon, May 6, 2019 at 2:53 PM Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
> > >
> > > Adrian HY via FreeIPA-users wrote:
> > > > Hi Florence, thanks for your attention.
> > > >
> > > > Yes, IPA was installed with self-signed CA, then I
> replaced the
> > > > self-signed CA with
> > > > an externally-signed CA (godaddy certificate). The
> > certificate expired
> > > > and I do not need it anymore. Hence, I need the
> self-signed CA.
> > >
> > > We need to know exactly what it is you did.
> > >
> > > On one hand it sounds like you ran
> ipa-server-certinstall and
> > replaced
> > > one or both of the Apache and 389-ds certificates.
> > >
> > > On the other it sounds like you go the IPA CA certificate
> > signed by an
> > > external CA. Seems dubious to me that godaddy would do this
> > (at least
> > > not without you ponying up major $$$).
> > >
> > > It matters what you did so please be as detailed as
> possible.
> > >
> > > The version of IPA would be handy to know as well.
> > >
> > > rob
> > >
> > > >
> > > > Thanks.
> > > >
> > > >
> > > > On Mon, May 6, 2019 at 2:32 PM Florence Blanc-Renaud
> > > <flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> wrote:
> > > >
> > > > On 5/4/19 5:29 AM, Adrian HY via FreeIPA-users wrote:
> > > > > Hello all,
> > > > >
> > > > > My commercial certificate has expired today.
> > The pki-tomcatd
> > > > Service has
> > > > > stopped and I can´t to login at the web-gui.
> > > > > Is it possible to revert the original self signed
> > certificate ?
> > > > >
> > > > Hi,
> > > > can you clarify which certificate expired? There are a
> > lot of
> > > > certificates in a FreeIPA installation (IPA CA, the
> > certs for
> > > HTTP,
> > > > LDAP, Pkinit, the certs for Dogtag etc...)
> > > >
> > > > You mention "the original self-signed
> certificate", are you
> > > > referring to
> > > > IPA CA? It would help to have the full story, for
> instance
> > > "IPA was
> > > > installed with self-signed CA, then I replaced the
> > self-signed
> > > CA with
> > > > an externally-signed CA etc..."
> > > >
> > > > flo
> > > >
> > > > > Thanks.
> > > > >
> > > > > _______________________________________________
> > > > > FreeIPA-users mailing list --
> > > freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > > To unsubscribe send an email to
> > > > freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > > Fedora Code of Conduct:
> > > https://getfedora.org/code-of-conduct.html
> > > > > List Guidelines:
> > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > >
> > >
> >
>     https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > To unsubscribe send an email to
> > > freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > Fedora Code of Conduct:
> > https://getfedora.org/code-of-conduct.html
> > > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> >
>    https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > >
> > >
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > To unsubscribe send an email to
> > freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > Fedora Code of Conduct:
> https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
>   https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > >
> >
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>