Justen Long wrote:
I'm getting closer... it's not recognizing my admin password
for IPA, or
for my personal account with admin rights now.. but no more SSL errors..
just can't run ipa-certupdate without the proper kerberos creds..
By not recognizing your password I assume you mean kinit is failing? Is
the KDC running? I assume 389-ds is running? All restarted after time
became stable in the past?
rob
On Thu, Apr 13, 2023 at 12:51 PM Justen Long <mr.justenlong(a)gmail.com
<mailto:mr.justenlong@gmail.com>> wrote:
Following up, I see the date command just changed it momentarily...
using timedatectl and will report back.
On Thu, Apr 13, 2023 at 12:31 PM Justen Long
<mr.justenlong(a)gmail.com <mailto:mr.justenlong@gmail.com>> wrote:
Rob,
I entered 'date --date="7 April 2023", verified it updated the
system time appropriately. Restarted dirsrv, ipa-custodia,
ipa-otpd, httpd.. krb5kdc and kadmin failed. Still, tried to
send ipa cert-update, and it popped the same SSL Certificate
Verify Failed error.
On Thu, Apr 13, 2023 at 11:32 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>> wrote:
Justen Long wrote:
> Additionally, is there any way to force the CA cert update
to be
> recognized? When I run it to update the CA chain,
everything is
> verified.. but /etc/ipa/ca.crt didn't reflect the change..
so I manually
> populated it by copying over the guts of the CA bundle to the
> /etc/ipa/ca.crt before trying to install the new server
cert and it
> still doesn't recognize it as trusted although the issuer
is the same
> and within the CA bundle.
This is going to sound weird, but I'd just go back in time
to April 10,
restart all services but ntp (which will reset the time) and
then the
commands should work. Once the certs are updated and
working, return to
present time.
rob
>
> On Thu, Apr 13, 2023 at 6:20 AM Justen Long
<mr.justenlong(a)gmail.com <mailto:mr.justenlong@gmail.com>
> <mailto:mr.justenlong@gmail.com
<mailto:mr.justenlong@gmail.com>>> wrote:
>
> Rob,
>
> Apologies for the delay in response. Once I'm home, I
don't have
> access to the information readily available to respond
with. Here is
> the information you requested:
>
> The version of IPA we are using is 4.6.8, rpm
specifically for us is
> ipa-server-4.6.8-5.el7.centos.12.x86_64 and we are
using CentOS 7.9
> currently with plans to move to RHEL9 within the next
year or so.
>
> Unfortunately, 'ipa config-show' doesn't work. It
populates the same
> error stating "ipa: ERROR: cannot connect to
> 'https://ipaServer/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED]
> certificate verify failed (_ssl.c:618).
The smack heard around the world was my head hitting my
desk. Of course
this command failed.
>
> We have ~50 hosts connected via IPA. We have two IPA
servers, one as
> a replica of the other.
>
> 'getcert list' only shows 1 certificate. It's state is
"MONITORING"
> and seems related to kerberos.
>
> As far as I know, we don't use IPA CA-issued
certificates. I recall
> seeing errors yesterday stating CA wasn't enabled on
our servers. We
> have always used 3rd party CAs to my knowledge.
>
> -justen
>
> On Wed, Apr 12, 2023 at 2:42 PM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>> wrote:
>
> Justen Long via FreeIPA-users wrote:
> > Thanks in advance for your replies.. I've spent
7 hours
> looking through posts here and trying
everything... I'm stuck.
> >
> > Background: I am a System Administrator in a closed,
> classified environment. Unfortunately, I cannot
post logging
> here, but I can refer to them as needed.
> >
> > I inherited this system from someone who
departed the program
> a year or so ago. Fast forward to today, the
server certs
> expired yesterday. Admittedly, I'm unfamiliar (or
was) with the
> certificate update process for IPA servers. On a
typical server,
> we replace the old cert and restart the httpd
services; however,
> I realize this cannot work with IPA servers now.
> >
> > Additionally to all of this, the CA chain
updated 6 months ago.
> >
> > I ran ipa-cacert-manage to update the CA chain.
When trying to
> run ipa-certupdate, I received errors for an
invalid server
> certificate (it expired on 11 April 2023). It
simply won't
> connect to the web server. HTTPD failed as well,
so I had to add
> "NSSEnforceValidCerts off" to the nss.conf file
for HTTPD to
> start. Still, no dice.
> >
> > I've ran ipa-server-certinstall for the new
cert/key as well,
> and it fails saying its not trusted ("Peer's
certificate issuer
> is not trusted [certutil: certificate is invalid:
Peer's
> Certificate issuer is not recognized] Please run
> ipa-cacert-manage install and ipa-certupdate to
install the CA
> certificate.... which, as reported above, can't
complete.
> >
> > I'm at a total loss here... and really
struggling being new to
> all this and trying my best to keep it afloat. Any
help would be
> GREATLY appreciated!
>
> Let's gather some information first.
>
> What version of IPA is this, on what distribution?
>
> IPA designates one server to be the "renewal
master" which
> handles the
> renewals. The output of `ipa config-show` should
tell you
> (depending on
> version). That's the server you want to work on.
>
> How many servers in your topology and how many
have a CA installed?
>
> Does `getcert list` show a set of 8-10 tracked
certificates?
> What are
> the states?
>
> You mention ipa-server-certinstall. Are you using
3rd party
> certificates
> in addition to IPA CA-issued certificates or was
that just an
> attempt to
> get things working again?
>
> rob
>