Hello, everyone. I have a FreeIPA network built from last year which consists of 6 IPA servers, 3 on each of two sites in the world.
Everything is up-to-date on IPA 4.12.2 . These are on Rocky Linux (so, RHEL) systems. The precise package is ipa-server-common-4.12.2-1.el9_5.4.noarch on some and 5.3 on a few. The topology is very meshed, with every server having CA and Domain connections to 3 others. We are using 3rd-party certificates from DigiCert. I have a novice understanding of FreeIPA and weak understanding of certificates. Please excuse me if I seem to say something incorrectly. We had an issue a week ago, where the CA Renewal Master/CRL Master and one other server on the same site had their httpd/tomcat certs expire. This put me into quite a chicken-and-egg scenario, where updating the cert in real time failed due to httpd having an expired crt, and moving the time backwards would fail in tomcat, because the cert was "from the future". (It may have been the other way around, but hopefully you get the idea.) I was able to transfer the CA Renewal Master and CRL Master roles to another machine on the other site which had a week left before expiring. I then removed IPA-everything from the old master, re-installed, replicated, etc. And, all appears well on it, except when I got to installing newly signed certs. Here is where the big problem comes... DigiCert has decided to change their root CA, I guess at some point last year. So, the root/intermediate I built this network using are no longer valid, pretty soon. I have the new DigiCert root/intermediate certs. But, I believe I made a mistake by not supplying the ipa-cacert-manage command a specific "-t C,," option when I brought them in. Now, these appear systemwide, but are "stuck" with ",," trust. Here are what they now look like: # certutil -L -d /etc/ipa/nssdb;certutil -L -d /etc/dirsrv/slapd-VSS-VZBI-COM DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc ,, # New intermediate? DigiCert Global Root G2 - DigiCert Inc ,, # New root VSS.VZBI.COM IPA CA CT,C,C # Whatever original self-signed thing FIPA made and controls? CyberTrustRoot C,, # Old root DigiCertCA C,, # Old intermediate? Using ipa-cacert-manage, if I issue a new [proper] install command, it says it succeeds, but the trust remains as ",," . If I issue a delete command, it fails with "certutil: certificate is invalid: Peer's certificate issuer has been marked as not trusted by the user." I have tried this, with a new name, with the existing name and with no name at all: ipa-cacert-manage -n DigiCertCAG2 -t C,, install digicert-ca-root.crt ipa-cacert-manage -n "DigiCert Global Root G2 - DigiCert Inc" -t C,, install digicert-ca-root.crt ipa-cacert-manage -t C,, install digicert-ca-root.crt All appear to "succeed". I've tried wrapping the C,, in single quotes, double quotes, and no quotes. I run ipa-certupdate everywhere, and all appear to succeed. But, I get the same Trust Attributes listed in the local databases and can never use these new CA's to bring newly signed server certs in. It's always the same list as above, everywhere. I figured, ok, maybe the install command does not function as a re-install command, and those mistakes need to be removed. But, I cannot get any delete command to take them out so that I can try to start fresh. ipa-cacert-manage delete "DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc" ipa-cacert-manage delete "DigiCert Global Root G2 - DigiCert Inc" I always get "failed. Removing part of the chain? certutil: certificate is invalid: Peer's Certificate issuer is not recognized." I suspect there is something I am totally ignorant about, here. Was that initial "VSS.VZBI.COM IPA CA" used in some way to bring these in, and now it also needs to come out? I am afraid to do that. And, if that is the answer, I have no idea how to rebuild that. That was something FreeIPA did magically when I brought this network to life, as far as I can remember (and grep'ing through history logs supports). I have two days before the rest of my servers' certs also expire. I have new signed certs ready to put in on each, but... I am stuck with no trusted root CA. I can supply you any logs or command output which may help. I would just need to scrub them a bit. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
