I'm putting this out there to help others if they need it, but be wary as the
following caveats apply:
1. I am not an expert in FreeIPA. Make a backup or snapshot if possible. For nssdb
stuff, you can just tar up those directories for a backup before munging the data in
there.
2. I'm not 100% on order as I've been doing this repair over the last few days.
3. There could be extra steps that are unnecessary
4. I'm on 4.6.5 so no cool new CA tools available
Here are my final steps that worked:
1. On all IPA servers, add new wildcard cert
ipa-server-certinstall -v -w -d certificate.key certificate_bundle_with_servercert.pem
ipa-cacert-manage renew --external-cert-file certificate_bundle_with_servercert.cer
--external-cert-file locate_ca.pem (I'm not sure this did anything)
2. On all IPA servers, clean up all nss cache files by hand (as to not delete the wrong
cert)
a. list the contents
certutil -L -d
/etc/httpd/alias
/etc/pki/pki-tomcat/alias
/etc/dirsrv/slapd-DOM-EXAMPLE-COM
/etc/ipa/nssdb
b. Delete all but the *.lids and the
DOM.EXAMPLE.COM and any internal CA's like
"Server-Cert cert-pki-ca"
certutil -D -d /etc/httpd/alias -n "CN=InCommon RSA Server
CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US"
certutil -D -d /etc/pki/pki-tomcat/alias -n "CN=USERTrust RSA Certification
Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US"
etc
3. On all IPA servers, add in the 3 certs for the new path C chain. They're named
locally as c1, c2 and c3.pem locally. Comodo, InCommon, Usertrust (I scripted it to take
$1 as the nssdb path) to each of the above nssdb caches.
certutil -A -d $1 -i c1.pem -n "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA
Limited, CN=AAA Certificate Services" -t "C,,"
certutil -A -d $1 -i c2.pem -n "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority" -t "C,,"
certutil -A -d $1 -i c3.pem -n "C=US, ST=MI, L=Ann Arbor, O=Internet2, OU=InCommon,
CN=InCommon RSA Server CA" -t "C,,"
4. On all IPA servers, update the /etc/ipa/ca.crt with the chain by hand
5. On all IPA servers, restart IPA client
a. ipasvc restart
6. On just one Server, now to remove the CA's from LDAP itself (it gets replicated to
the other 389ds servers).
a. Get the DN names:
ldapsearch -x -o ldif-wrap=no -b
dc=dom,dc=example,dc=com"(objectClass=ipaCertificate)" | grep dn:
b. Run the ldapdelete command on each (3 different CA's in my case):
ldapdelete "cn=CN\3DInCommon RSA Server
CA\2COU\3DInCommon\2CO\3DInternet2\2CL\3DAnn
Arbor\2CST\3DMI\2CC\3DUS,cn=certificates,cn=ipa,cn=etc,dc=dom,dc=example,dc=com" -D
'cn=directory manager' -W
7. On the same server as above, now to Add in the CA's again:
a. ipa-cacert-manage -v install certificate_bundle_without_servercert.pem
8. On all IPA servers run:
a. kinit admin (or whatever admin account you're using)
b. ipa-certupdate
9. On all client's:
a. manually update /etc/ipa/ca.crt with the new chain + local CA. Same step as we did
with #5 above
b. kinit admin
c. ipa-certupdate
Good luck.