okay, so I think you found the issue:
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
'CN=ldap.app.uaap.maxar.com
<
http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US' | grep Not
Not Before: Fri Jan 06 19:36:22 2023
Not After : Sat Jan 06 19:36:22 2024
Where's the actual location of the server certificate? Thanks,
It is stored in the NSS database at /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
You should be able to use ipa-server-certinstall to add a renewed
certificate in a similar way that this one was added.
rob
On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud <flo(a)redhat.com
<mailto:flo@redhat.com>> wrote:
Hi,
On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
[root @ ldap01]
$ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt |
grep Not
Not Before: Jan 12 15:30:18 2024 GMT
Not After : Jan 11 15:30:18 2025 GMT
So httpd server cert is still valid.
also, am I looking at the correct one here?:
[root @ ldap01]
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
Certificate Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI
APP.UAAP.MAXAR.COM <
http://APP.UAAP.MAXAR.COM> IPA CA
CT,C,C
^^ this one is IPA CA, not the server certificate for LDAP.
CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com C,,
CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com C,,
CN=Maxar Policy CA East,DC=Maxar,DC=com C,,
CN=Maxar Policy CA West,DC=Maxar,DC=com C,,
CN=Maxar Root CA,CN=Maxar,CN=com C,,
CN=ldap.app.uaap.maxar.com
<
http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US u,u,u
[root @ ldap01]
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
'APP.UAAP.MAXAR.COM <
http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not
Not Before: Thu Feb 02 14:06:44 2023
Not After : Mon Feb 02 14:06:44 2043
Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com
<
http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in
/etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the
entry cn=RSA,cn=encryption,cn=configin the attribute
nsSSLPersonalitySSL.
For instance in my server I have:
dn: cn=RSA,cn=encryption,cn=config
cn: RSA
modifiersName: cn=Directory Manager
modifyTimestamp: 20220121155703Z
nsSSLActivation: on
*nsSSLPersonalitySSL: Server-Cert*
nsSSLToken: internal (software)
objectClass: top
objectClass: nsEncryptionModule
HTH,
flo
--
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue