On Thu, Apr 13, 2023 at 1:40 PM Rob Crittenden <rcritten@redhat.com> wrote:

Justen Long wrote:
> I'm getting closer... it's not recognizing my admin password for IPA, or
> for my personal account with admin rights now.. but no more SSL errors..
> just can't run ipa-certupdate without the proper kerberos creds..

By not recognizing your password I assume you mean kinit is failing? Is
the KDC running? I assume 389-ds is running? All restarted after time
became stable in the past?

rob

>
> On Thu, Apr 13, 2023 at 12:51 PM Justen Long <mr.justenlong@gmail.com
> <mailto:mr.justenlong@gmail.com>> wrote:
>
> Following up, I see the date command just changed it momentarily...
> using timedatectl and will report back.
>
> On Thu, Apr 13, 2023 at 12:31 PM Justen Long
> <mr.justenlong@gmail.com <mailto:mr.justenlong@gmail.com>> wrote:
>
> Rob,
>
> I entered 'date --date="7 April 2023", verified it updated the
> system time appropriately. Restarted dirsrv, ipa-custodia,
> ipa-otpd, httpd.. krb5kdc and kadmin failed. Still, tried to
> send ipa cert-update, and it popped the same SSL Certificate
> Verify Failed error.
>
> On Thu, Apr 13, 2023 at 11:32 AM Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote:
>
> Justen Long wrote:
> > Additionally, is there any way to force the CA cert update
> to be
> > recognized? When I run it to update the CA chain,
> everything is
> > verified.. but /etc/ipa/ca.crt didn't reflect the change..
> so I manually
> > populated it by copying over the guts of the CA bundle to the
> > /etc/ipa/ca.crt before trying to install the new server
> cert and it
> > still doesn't recognize it as trusted although the issuer
> is the same
> > and within the CA bundle.
>
> This is going to sound weird, but I'd just go back in time
> to April 10,
> restart all services but ntp (which will reset the time) and
> then the
> commands should work. Once the certs are updated and
> working, return to
> present time.
>
> rob
>
> >
> > On Thu, Apr 13, 2023 at 6:20 AM Justen Long
> <mr.justenlong@gmail.com <mailto:mr.justenlong@gmail.com>
> > <mailto:mr.justenlong@gmail.com
> <mailto:mr.justenlong@gmail.com>>> wrote:
> >
> > Rob,
> >
> > Apologies for the delay in response. Once I'm home, I
> don't have
> > access to the information readily available to respond
> with. Here is
> > the information you requested:
> >
> > The version of IPA we are using is 4.6.8, rpm
> specifically for us is
> > ipa-server-4.6.8-5.el7.centos.12.x86_64 and we are
> using CentOS 7.9
> > currently with plans to move to RHEL9 within the next
> year or so.
> >
> > Unfortunately, 'ipa config-show' doesn't work. It
> populates the same
> > error stating "ipa: ERROR: cannot connect to
> > 'https://ipaServer/ipa/json': [SSL:
> CERTIFICATE_VERIFY_FAILED]
> > certificate verify failed (_ssl.c:618).
>
> The smack heard around the world was my head hitting my
> desk. Of course
> this command failed.
>
> >
> > We have ~50 hosts connected via IPA. We have two IPA
> servers, one as
> > a replica of the other.
> >
> > 'getcert list' only shows 1 certificate. It's state is
> "MONITORING"
> > and seems related to kerberos.
> >
> > As far as I know, we don't use IPA CA-issued
> certificates. I recall
> > seeing errors yesterday stating CA wasn't enabled on
> our servers. We
> > have always used 3rd party CAs to my knowledge.
> >
> > -justen
> >
> > On Wed, Apr 12, 2023 at 2:42 PM Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>>> wrote:
> >
> > Justen Long via FreeIPA-users wrote:
> > > Thanks in advance for your replies.. I've spent
> 7 hours
> > looking through posts here and trying
> everything... I'm stuck.
> > >
> > > Background: I am a System Administrator in a closed,
> > classified environment. Unfortunately, I cannot
> post logging
> > here, but I can refer to them as needed.
> > >
> > > I inherited this system from someone who
> departed the program
> > a year or so ago. Fast forward to today, the
> server certs
> > expired yesterday. Admittedly, I'm unfamiliar (or
> was) with the
> > certificate update process for IPA servers. On a
> typical server,
> > we replace the old cert and restart the httpd
> services; however,
> > I realize this cannot work with IPA servers now.
> > >
> > > Additionally to all of this, the CA chain
> updated 6 months ago.
> > >
> > > I ran ipa-cacert-manage to update the CA chain.
> When trying to
> > run ipa-certupdate, I received errors for an
> invalid server
> > certificate (it expired on 11 April 2023). It
> simply won't
> > connect to the web server. HTTPD failed as well,
> so I had to add
> > "NSSEnforceValidCerts off" to the nss.conf file
> for HTTPD to
> > start. Still, no dice.
> > >
> > > I've ran ipa-server-certinstall for the new
> cert/key as well,
> > and it fails saying its not trusted ("Peer's
> certificate issuer
> > is not trusted [certutil: certificate is invalid:
> Peer's
> > Certificate issuer is not recognized] Please run
> > ipa-cacert-manage install and ipa-certupdate to
> install the CA
> > certificate.... which, as reported above, can't
> complete.
> > >
> > > I'm at a total loss here... and really
> struggling being new to
> > all this and trying my best to keep it afloat. Any
> help would be
> > GREATLY appreciated!
> >
> > Let's gather some information first.
> >
> > What version of IPA is this, on what distribution?
> >
> > IPA designates one server to be the "renewal
> master" which
> > handles the
> > renewals. The output of `ipa config-show` should
> tell you
> > (depending on
> > version). That's the server you want to work on.
> >
> > How many servers in your topology and how many
> have a CA installed?
> >
> > Does `getcert list` show a set of 8-10 tracked
> certificates?
> > What are
> > the states?
> >
> > You mention ipa-server-certinstall. Are you using
> 3rd party
> > certificates
> > in addition to IPA CA-issued certificates or was
> that just an
> > attempt to
> > get things working again?
> >
> > rob
> >
>