On 10/10/2017 04:31 PM, Rob Crittenden wrote:
Josh wrote:
> Greetings to all,
>
> A follow up on
>
https://www.redhat.com/archives/freeipa-users/2017-January/msg00051.html
>
> I missed expiration date and now ipa-certupdate command fails with SSL:
> CERTIFICATE_VERIFY_FAILED.
>
> Should I update httpd certificate manually or there is a workaround to
> allow ipa-certupdate to proceed?
You could try going back in time when the certs are still valid to try
the certupdate.
I really don't like doing that...
Or manually updating the certs could work too.
Let me describe
all the steps I did because I could not find any good
description in chapter 26 here
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
1. generate CSR
$ sudo certutil -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt -R
-s `sudo certutil -d /etc/httpd/alias -L | grep u,u,u | cut -f 1 -d\ `
-k `sudo certutil -d /etc/httpd/alias -L | grep u,u,u | cut -f 1 -d\ `
-a -o my.csr
2. submit my.csr to external certificate authority and acquire server
certificate and certificate chain (bundle).
3. break bundle into individual certificates and install them one by one
starting from the last one in bundle and moving to the first:
$ ipa-cacert-manage install last.pem
$ ipa-cacert-manage install last-1.pem
$ ipa-cacert-manage install last-3.pem
At this point ipa-certupdate command is needed but it can't run because
existing server certificate has expired. Skip #4 if existing is still valid.
4. install intermediate certificates manually
$ sudo certutil -d /etc/httpd/alias -A -i last.pem -n "$(openssl x509
-in last.pem -text -noout | grep Subject: | sed -e 's/.*Subject:
\(.*\)/\1/')" -t C,,
$ sudo certutil -d /etc/httpd/alias -A -i last-1.pem -n "$(openssl x509
-in last-1.pem -text -noout | grep Subject: | sed -e 's/.*Subject:
\(.*\)/\1/')" -t C,,
$ sudo certutil -d /etc/httpd/alias -A -i last-2.pem -n "$(openssl x509
-in last-2.pem -text -noout | grep Subject: | sed -e 's/.*Subject:
\(.*\)/\1/')" -t C,,
4.1 take a note of server certificate nickname as NICK output of
$ sudo certutil -d /etc/httpd/alias -L | grep u,u,u | cut -f 1 -d' '
4.2 delete old server certificate
$ sudo certutil -d /etc/httpd/alias -D -n $NICK
4.3 install new
$ sudo certutil -d /etc/httpd/alias -A -i servercert.pem -n $NICK -t u,u,u
4.4 Restart httpd to pick up new certificate
$ sudo systemctl restart httpd
5. Run ipa-certupdate (on all the servers and clients) to propagate all
CA bundle certificates.
*Question*:
How am I supposed to use
$ sudo ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
as described in
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
since ssl.key has never been extracted out of credential store and
technically is not at all needed as shown in #4 above?
Regards,
Josh.