Hi Peter, this is generally good info, and all the cleanups you mention below are worth doing.
I just want to mention that if someone is in a pinch and needs to prioritize operation that the only fixes that are really necessary are those that involve certificate chains sent from servers to clients. Namely the changes to the NSSDBs (steps 1 to 3, plus restart of server's services to reread the new chains) The changes to the certificate stores (like ca.crt or LDAP) (steps 4 and onwards) are definitely a good idea, but are not technically necessary once the TLS servers send the right set of non-expired chains to the clients. So, definitely prioritize work on the servers, and leave clients last. HTH, Simo. On Fri, 2020-06-05 at 18:34 +0000, Peter Lewis via FreeIPA-users wrote: > I'm putting this out there to help others if they need it, but be wary as the > following caveats apply: > 1. I am not an expert in FreeIPA. Make a backup or snapshot if > possible. For nssdb stuff, you can just tar up those directories for a > backup before munging the data in there. > 2. I'm not 100% on order as I've been doing this repair over the last > few days. > 3. There could be extra steps that are unnecessary > 4. I'm on 4.6.5 so no cool new CA tools available > > Here are my final steps that worked: > 1. On all IPA servers, add new wildcard cert > ipa-server-certinstall -v -w -d certificate.key > certificate_bundle_with_servercert.pem > ipa-cacert-manage renew --external-cert-file > certificate_bundle_with_servercert.cer --external-cert-file locate_ca.pem > (I'm not sure this did anything) > > 2. On all IPA servers, clean up all nss cache files by hand (as to not > delete the wrong cert) > a. list the contents > certutil -L -d > /etc/httpd/alias > /etc/pki/pki-tomcat/alias > /etc/dirsrv/slapd-DOM-EXAMPLE-COM > /etc/ipa/nssdb > > b. Delete all but the *.lids and the DOM.EXAMPLE.COM and any > internal CA's like "Server-Cert cert-pki-ca" > certutil -D -d /etc/httpd/alias -n "CN=InCommon RSA > Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US" > certutil -D -d /etc/pki/pki-tomcat/alias -n > "CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey > City,ST=New Jersey,C=US" > etc > 3. On all IPA servers, add in the 3 certs for the new path C chain. > They're named locally as c1, c2 and c3.pem locally. Comodo, InCommon, > Usertrust (I scripted it to take $1 as the nssdb path) to each of the above > nssdb caches. > certutil -A -d $1 -i c1.pem -n "C=GB, ST=Greater Manchester, > L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services" -t "C,," > certutil -A -d $1 -i c2.pem -n "C=US, ST=New Jersey, L=Jersey > City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority" -t > "C,," > certutil -A -d $1 -i c3.pem -n "C=US, ST=MI, L=Ann Arbor, > O=Internet2, OU=InCommon, CN=InCommon RSA Server CA" -t "C,," > 4. On all IPA servers, update the /etc/ipa/ca.crt with the chain by hand > 5. On all IPA servers, restart IPA client > a. ipasvc restart > 6. On just one Server, now to remove the CA's from LDAP itself (it gets > replicated to the other 389ds servers). > a. Get the DN names: > ldapsearch -x -o ldif-wrap=no -b > dc=dom,dc=example,dc=com"(objectClass=ipaCertificate)" | grep dn: > b. Run the ldapdelete command on each (3 different CA's in my > case): > ldapdelete "cn=CN\3DInCommon RSA Server > CA\2COU\3DInCommon\2CO\3DInternet2\2CL\3DAnn > Arbor\2CST\3DMI\2CC\3DUS,cn=certificates,cn=ipa,cn=etc,dc=dom,dc=example,dc=com" > -D 'cn=directory manager' -W > 7. On the same server as above, now to Add in the CA's again: > a. ipa-cacert-manage -v install > certificate_bundle_without_servercert.pem > 8. On all IPA servers run: > a. kinit admin (or whatever admin account you're using) > b. ipa-certupdate > 9. On all client's: > a. manually update /etc/ipa/ca.crt with the new chain + local > CA. Same step as we did with #5 above > b. kinit admin > c. ipa-certupdate > > Good luck. > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
