Hey Rob, Have you seen this before?: ipa-server-certinstall -p <password> -d --cert-name=ldap ./ldap.app.uaap.maxar.com.crt Enter private key unlock password:
*No server certificates found in ./ldap.app.uaap.maxar.com.crt* The ipa-server-certinstall command failed. On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden <rcrit...@redhat.com> wrote: > Omar wrote: > > roger that. I thought about doing the: > > ipa-cacert-manager, but that would be wrong, correct? > > Correct, assuming your updated cert is from the same CA. > > > > > if I do the ipa-server-certinstall, do I need to specify either -d / -w > > / or -k? Thanks, > > You want -d (directory server) > > rob > > > > > On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>> wrote: > > > > Omar via FreeIPA-users wrote: > > > okay, so I think you found the issue: > > > > > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n > > > 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com> > > > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies > > > Inc,L=Herndon,ST=Virginia,C=US' | grep Not > > > Not Before: Fri Jan 06 19:36:22 2023 > > > Not After : Sat Jan 06 19:36:22 2024 > > > > > > Where's the actual location of the server certificate? Thanks, > > > > It is stored in the NSS database at > /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM > > > > You should be able to use ipa-server-certinstall to add a renewed > > certificate in a similar way that this one was added. > > > > rob > > > > > > > > > > > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud > > <f...@redhat.com <mailto:f...@redhat.com> > > > <mailto:f...@redhat.com <mailto:f...@redhat.com>>> wrote: > > > > > > Hi, > > > > > > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users > > > <freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> wrote: > > > > > > [root @ ldap01] > > > $ openssl x509 -noout -text -in > /var/lib/ipa/certs/httpd.crt | > > > grep Not > > > Not Before: Jan 12 15:30:18 2024 GMT > > > Not After : Jan 11 15:30:18 2025 GMT > > > > > > So httpd server cert is still valid. > > > > > > > > > also, am I looking at the correct one here?: > > > [root @ ldap01] > > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/ > > > > > > Certificate Nickname > > > Trust Attributes > > > > > > SSL,S/MIME,JAR/XPI > > > > > > APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> > > <http://APP.UAAP.MAXAR.COM> IPA CA > > > CT,C,C > > > > > > ^^ this one is IPA CA, not the server certificate for LDAP. > > > > > > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com > > C,, > > > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com > > C,, > > > CN=Maxar Policy CA East,DC=Maxar,DC=com > > C,, > > > CN=Maxar Policy CA West,DC=Maxar,DC=com > > C,, > > > CN=Maxar Root CA,CN=Maxar,CN=com > > C,, > > > CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com > > > > > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar > Technologies > > > Inc,L=Herndon,ST=Virginia,C=US u,u,u > > > > > > [root @ ldap01] > > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n > > > 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM> > > <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not > > > Not Before: Thu Feb 02 14:06:44 2023 > > > Not After : Mon Feb 02 14:06:44 2043 > > > > > > Based on the nicknames, I would check > > 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com> > > > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies > > > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert > > name in > > > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored > > in the > > > entry cn=RSA,cn=encryption,cn=configin the attribute > > > nsSSLPersonalitySSL. > > > For instance in my server I have: > > > > > > dn: cn=RSA,cn=encryption,cn=config > > > cn: RSA > > > modifiersName: cn=Directory Manager > > > modifyTimestamp: 20220121155703Z > > > nsSSLActivation: on > > > *nsSSLPersonalitySSL: Server-Cert* > > > nsSSLToken: internal (software) > > > objectClass: top > > > objectClass: nsEncryptionModule > > > > > > HTH, > > > flo > > > > > > > > > -- > > > _______________________________________________ > > > FreeIPA-users mailing list -- > > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > To unsubscribe send an email to > > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > Do not reply to spam, report it: > > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > > > > -- > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue