On 3/19/19 4:18 PM, Azim Siddiqui wrote:
Hi Florence,
Thanks for the info. I will check for the ipa cert-find command and will
send you the output. Actually, when I am trying to do $ kinit admin it
is asking for a password. And I am not sure about the password, as I
said it was set by the previous system admin.
Hi
(re-adding freeipa-users in cc)
if you do kinit -kt /etc/krb5.keytab you should also have enough
permissions to perform ipa cert-find.
And also I can see there is nssdb directory on the server. Do you by any
chance know, what is that for?
There are many nssdb directories on a FreeIPA system. For instance
/etc/ipa/nssdb is the NSS database used by the ipa * commands. It
contains the certificates of the trusted certificate authorities. You
can find more information re. NSS databases in the man page for certutil(1).
If I have the private key on the server, how can I renew the certificate
signed by IPA. can you please provide me the steps.
If you have the private key in $NSSDB database you just need to follow
the steps provided in my first email
(https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RHHOGPIOFGKFXDZM5OE3DY3RCC7TVCSM/).
flo
thanks & Regards,
Azeem
On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>> wrote:
On 3/18/19 7:50 PM, Azim Siddiqui wrote:
> Hi Florence,
>
> Thanks for your reply.
> I am referring to the applications. For example, we have
> Apache,haproxy,jenkins,git which uses certs signed by IPA. And
now when
> I am browsing these applications urls. It is showing, this site
is not
> secured.
> And originally, This cert were created by a system admin, who is not
> working with us now. So its getting hard for me to figure out,
how can I
> create or renew the certs.
>
> And I don't see any files ssl.conf or nss.conf in the server.
> The output for getcert list command shows this :-
> getcert list
> Number of certificates and requests being tracked: 0.
>
>
> I just want to create a crt and key file signed by IPA. So that I
can
> use it for the browsers.
Hi,
please keep the users mailing list in cc, so that everyone can get
involved/see the resolution.
It is difficult to provide advice with so few information. Can you
start
by checking which certificates were already issued by FreeIPA, and
we'll
see if they are expired?
$ kinit admin
$ ipa cert-find
With the full output and based on the subject you'll be able to
identify
the host or service certs that you are using for your applications. For
each of these certs, run
$ kinit admin
$ ipa cert-show <serial number>
and the output will show if the cert is expired (check the Not After
field).
For an expired cert, you will be able to renew the cert if you still
have the private key. The private key location can be found by checking
the configuration of your applications.
For instance apache on rhel or fedora stores its config in
/etc/httpd/conf/httpd.conf, which by default loads the modules in
conf.modules.d/*.conf and the config files in conf.d/*.conf.
flo
>
> Thanks,
> Azeem
>
>
> On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud
<f...@redhat.com <mailto:f...@redhat.com>
> <mailto:f...@redhat.com <mailto:f...@redhat.com>>> wrote:
>
> On 3/15/19 8:16 PM, Azim Siddiqui wrote:
> > Hi Florence,
> >
> > Hope you are doing good. I tried the way you said. But
still, it is
> > showing certificate is expired.
> >
> > Let me be more clear about it.
> >
> > We have apache running with an expired certificate which is
> signed by
> > FreeIPA. Now I want to renew or create a new certificate.
So can you
> > please tell me how can I renew or create a new certificate
signed by
> > Freeipa.
> > As whenever I am going to the Apache URL from the browser,
it is
> showing
> > site is not secured.
> >
> > Thanks & Regards,
> > Azeem
> >
> Hi,
>
> (re-adding freeipa-users in CC).
> Can you first confirm that you are referring to a cert for
the apache
> server *not running on one of the FreeIPA masters*?
>
> Then please explain how you originally obtained the
certificate. Also
> include the following information:
> - relevant apache configuration (if using mod_ssl, then
> /etc/httpd/conf.d/ssl.conf or if using mod_nss,
> /etc/httpd/conf.d/nss.conf).
> - output of getcert list on the host running apache
>
> flo
>
> > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud
> <f...@redhat.com <mailto:f...@redhat.com>
<mailto:f...@redhat.com <mailto:f...@redhat.com>>
> > <mailto:f...@redhat.com <mailto:f...@redhat.com>
<mailto:f...@redhat.com <mailto:f...@redhat.com>>>> wrote:
> >
> > On 12/13/18 4:04 PM, Azim Siddiqui via FreeIPA-users
wrote:
> > > Hello,
> > >
> > > Hope you are doing good. I have a question regarding
> freeIPA host
> > > certificates.
> > > We are using FreeIPA as our LDAP. We have some
> certificates for
> > hosts ex
> > > :- http/uat.com <http://uat.com> <http://uat.com>
<http://uat.com>
> <http://uat.com>.
> > > And we deploying the certs in Haproxy in PEM format.
> > > But the certificates for this host has been expired.
> > > Can you please let me know in detail how to renew
my expired
> > > certificates for the hosts. Please provide me the
commands
> and steps.
> > >
> > Hi,
> >
> > from your description I understand that you are
referring to
> > certificates delivered by IPA CA for one of the
IPA-enrolled
> hosts, but
> > not the master's Server-Cert used for IPA Web GUI.
> >
> > In this case, how did you obtain the certificate? If
you used
> a method
> > similar to what is described in this wiki [1], the
certificate
> > should be
> > monitored by certmonger and automatically renewed.
> >
> > If you followed instead this wiki [2], the certificate
is not
> > tracked by
> > certmonger and needs to be manually renewed. You need
to do the
> > following, assuming that the cert is in a NSS database
$NSSDB
> on the
> > IPA
> > client:
> > - find the key nickname
> > # certutil -K -d $NSSDB
> > certutil: Checking token "NSS Certificate DB" in slot "NSS
> User Private
> > Key and Certificate Services"
> > Enter Password or Pin for "NSS Certificate DB":
> > < 0> rsa
7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS
> > Certificate
> > DB:Server-Cert
> > (note the key nickname for the next command)
> >
> > - create a new certificate request that will re-use the
> existing key
> > (replace DOMAIN.COM <http://DOMAIN.COM>
<http://DOMAIN.COM> <http://DOMAIN.COM>
> with your IPA domain, in
> > uppercase):
> > # certutil -R -d $NSSDB -k "NSS Certificate
DB:Server-Cert" -s
> > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM>
<http://DOMAIN.COM>
> <http://DOMAIN.COM>" -a -o /tmp/cert.csr
> > Enter Password or Pin for "NSS Certificate DB":
> >
> > - request a certificate using the new certificate request
> > # kinit admin
> > # ipa cert-request --principal=HTTP/`hostname`
/tmp/web.csr
> > (the output will display a Serial Number that needs to be
> noted for the
> > next command)
> >
> > - remove the previous cert from the NSS database:
> > # certutil -D -d $NSSDB -n Server-Cert
> >
> > - export the certificate to a file, then import the
> certificate in the
> > NSS database:
> > # ipa cert-show $SERIAL_NUMBER --out=/tmp/server.crt
> > # certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i
> /tmp/server.crt
> >
> > HTH,
> > flo
> >
> > [1]
> >
>
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger
> > [2]
https://www.freeipa.org/page/PKI#Manual_certificate_requests
> >
> > > FreeIPA, version: 4.2.0
> > >
> > > Thanks & Regards,
> > > Azeem
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
> > <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>>
> > > To unsubscribe send an email to
> > freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
> <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>>
> > <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
> <mailto:freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>>>
> > > Fedora Code of Conduct:
> https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > >
> >
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
