12:23 p.m.
Greetings. Like many, I had to track down and remove certs that expired on May 30. I
inherited a freeIPA cluster of 3 machines, and have been working on the first. But I am
having problems obtaining and applying replacement certs. Here is the scenario:
* In March 2019, a senior engineer applied a chain of certs. He was transitioning from
self-signed certs to valid external certs. This included a CAroot and two intermediates.
His final concerns were "AddTrustExternalCARoot" and
USERTrustRSAAddTrustCA", and an item from inCommon.
* On May 30, the CAroot and one intemediate ("USERTrust") expired. He seemed to
have approached a vendor directly for those, but that vendor would not confirm because I
am not on their contact list. I had to seek replacements from a school department. (They
do not provide support for end-uses like freeIPA.)
* This week, I have been trying to find and remove the SSL certs from the first of the
freeIPA systems. I believe I removed them all (using certutil and ldapdelete)
* I have been trying to install certs provided by that department. During the time the
expired certs were lingering in some places, I was able to run ipa-certupdate after a
"ipa-cacert-manage install" attempt. However, now, after my removal of expired
items, I get error "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:618)"
* The three items provided by the other department don't seem to work. I had taken the
steps below.
- Since I'm using freeIPA, and prior instructions denoted .crt, I convert each with:
openssl x509 -inform PEM -in <certname>.cer -out <certname>.crt
- I had tried to use each option separately: 1) "Certificate only, PEM
encoded", 2) "Root/Intermediate(s) only, PEM encoded", and 3)
"Intermediate(s)/Root only, PEM encoded" Results were:
ipa-cacert-manage install succeeded against #2
ipa-cacert-manage install failed against #3 "Peer's Certificate
issuer is not recognized."
ipa-server-certinstall failed against #1, "The full certificate chain is
not present in <freeipa_server>.crt, <freeipa_server>.crt.key"
- I then tried to substitute another option later in email, "Certificate (w/ chain),
PEM encoded." Result was:
ipa-server-certinstall failed, "No matching certificate found for private key from
<freeipa_server>.crt.key"
Is it possible the certs provided were incomplete, and that I need to track down something
somewhere? Or did I misinterpret the use of what was provided? Is there a missing piece to
consider? I appreciate any leads.
12:52 a.m.
New subject: FreeIPA: replacing expired SSL (like "AddTrust External CA Root")
All:
I realized that multiple items were included in the department submission, and that I
needed to break them into separate files. For a root and two intermediates,
ipa-cacert-manage install succeeds on each.
However, I still get error on ipa-certupdate:
"Connection to https://<freeIPA_server>/ipa/json failed with [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)"
Any thoughts?
3:42 a.m.
New subject: FreeIPA: replacing expired SSL (like "AddTrust External CA Root")
Finally got the freeIPA web console up. One key was discovering the chain had to be
re-assembled in a file prior to running ipa-server-certinstall. I still can't run
"ipa-certupdate" however.
Error:
Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor
(39756044): Credential cache is empty
The ipa-certupdate command failed.
1419
days inactive
1421
days old
freeipa-users@lists.fedorahosted.org
2 comments
1 participants
participants (1)
-
John Burns