Hello, list,
Our FreeIPA is 4.9.8 and the domain is wingon.hk. Initially, we installed external CA and certificates by following this link https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP And it works fine.
The certificate expired on Aug 03 22:16:17 2023. We want to replace the certificate of HTTP only because Unlike Mod_NSSDB, it's easy to install by placing two files PEM and Key. And we plan to replace external certificate of dirsrv with self-signed one.
=== httpd === # certutil -d /etc/httpd/alias/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
WINGON.HK IPA CA CT,C,C Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc. CT,C,C Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc. CT,C,C Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C Server-Cert u,u,u
# certutil -d /etc/httpd/alias/ -n Server-Cert -L Certificate: Data: Version: 3 (0x2) Serial Number: 08:5c:79:e8:d9:7d:6a:b4 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Go Daddy Secure Certificate Authority - G2,OU=http://cert s.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=A rizona,C=US" Validity: Not Before: Sat Jul 02 22:16:17 2022 Not After : Thu Aug 03 22:16:17 2023 Subject: "CN=*.wingon.hk" ==== So is Server-Cert of HTTP used ? It does not matter because we can still log in on the web. Because we replace the cert and key already. Can we remove this one ?
====== dirsrv =============== ===============> /etc/dirsrv/slapd-WINGON-HK/
# certutil -d /etc/dirsrv/slapd-WINGON-HK/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CN=*.wingon.hk u,u,u WINGON.HK IPA CA CT,C,C OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US C,, CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US C,, NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com%5C, Inc.,L=Scottsdale,ST=Arizona,C=US C,,
# certutil -d /etc/dirsrv/slapd-WINGON-HK/ -L -n 'CN=*.wingon.hk' Certificate: Data: Version: 3 (0x2) Serial Number: 08:5c:79:e8:d9:7d:6a:b4 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Go Daddy Secure Certificate Authority - G2,OU=http://cert s.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=A rizona,C=US" Validity: Not Before: Sat Jul 02 22:16:17 2022 Not After : Thu Aug 03 22:16:17 2023 Subject: "CN=*.wingon.hk"
========= As you can see it's expired already. How can replace this with self-signed one ?
I used certutil -d /etc/dirsrv/slapd-SAP-WINGON-HK/ -n Server-Cert -D
ipa-getcert request -d /etc/dirsrv/slapd-WINGON-HK/ -n ‘CN=*.wingon.hk' -K ldap/`hostname` -N CN=`hostname`,O=WINGON.HK -g 2048 -p /etc/dirsrv/slapd-WINGON-HK/pwdfile.txt
But it failed. Thanks for your help.
I installed a new IPA with self-signed CA and certificates. I didn't find anything related NSSDB under /etc/http/alias
So they're no longer used ? Right ? All are within PEM and Key specified in the ssl.conf === SSLCertificateFile /var/lib/ipa/certs/httpd.crt
SSLCertificateKeyFile /var/lib/ipa/private/httpd.key
SSLCACertificateFile /etc/ipa/ca.crt ===
ok. 1. certutil of httpd isn't used any more. Its certificate is tracking by certmon. Just change the settings of ssl.conf to default(self-signed) or our own.
2. Set system date time before August 3 and restart services.
3. run ipa-getcert request -d /etc/dirsrv/slapd-WINGON-HK/ -n ‘CN=*.wingon.hk' -K ldap/`hostname` -N CN=`hostname`,O=WINGON.HK -g 2048 -p /etc/dirsrv/slapd-WINGON-HK/pwdfile.txt
3. getcert list / certutil -d /etc/dirsrv/s... -L
4. ipactl restart -f -d
Problem is solved. Thanks.
Hi,
On Mon, Aug 7, 2023 at 4:17 AM luckydog xf via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I installed a new IPA with self-signed CA and certificates. I didn't find anything related NSSDB under /etc/http/alias
FreeIPA uses NSS for httpd up to version 4.6 (the server certificate is
stored in /etc/httpd/alias) but version 4.7+ uses SSL (the server certificate is stored in /var/lib/ipa/certs/httpd.crt). You can have a look at the release notes for 4.7 here https://www.freeipa.org/page/Releases/4.7.0.html.
Hope this clarifies, flo
So they're no longer used ? Right ? All are within PEM and Key specified in
the ssl.conf
SSLCertificateFile /var/lib/ipa/certs/httpd.crt
SSLCertificateKeyFile /var/lib/ipa/private/httpd.key
SSLCACertificateFile /etc/ipa/ca.crt
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org