Serge Krawczenko wrote:
Great, Rob
I've gotten nearly everything just couple minor clarifications:
You're running into issue
https://pagure.io/freeipa/issue/8600 which was
fixed in 4.9+ so you don't have it. You'll need to work around it in the
ipa_cert_fix.py code.
Florence mentioned nsSSLPersonalitySSL: Server-Cert
which presents in dse.ldif
How should this be modified prior to adjusting ipa_cert_fix.py?
Did you also replace the 389-ds certs with LE-provided certs? If not
then there is nothing special to do. Otherwise you'll need to modify
code to skip past the dirsrv cert as well.
> I've even exported "Server-Cert cert-pki-ca"
off the
/etc/pki/pki-tomcat
> alias and imported into
> /etc/httpd/alias using p12util
I wouldn't recommend doing that. Two different certs for two different
purposes. It probably retained the nickname include cert-pki-ca.
Thanks, removed.
You'll need to manually make a change in
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit to not renew by
serial.
You'll find this section of code around line 200:
args = ([paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT,
"--cafile", paths.IPA_CA_CRT,
"--certfile", paths.RA_AGENT_PEM,
"--keyfile", paths.RA_AGENT_KEY] +
sys.argv[1:] +
['--submit-option', "requestor_name=IPA"])
add:
args += ['-N']
I'd recommend making this change first, then modify ipa-cert-fix to not
check for the Apache Server-Cert and that may do it.
Done. Should certmonger service or whatever else be restarted after this
change (dogtag-ipa-ca-renew-agent-submit)?
You shouldn't need to restart certmonger.
rob