Hi Jan,
I'm grateful for your help. I've researched how to follow your
recommendations above, but I'm not having a lot of luck. According to
old posts in this mailing list,
https://www.redhat.com/archives/freeipa-users/2013-May/msg00199.html,
the command ipa-server-certinstall is the way to go. That said, I
found an issue you've filed to allow for this, and it was implemented
in FreeIPA 3.3: https://fedorahosted.org/freeipa/ticket/3641
Unfortunately, this system is running FreeIPA 3.0:
# rpm -qa | grep -P "ipa[_-]"
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-client-3.0.0-26.el6_4.4.x86_64
ipa-admintools-3.0.0-26.el6_4.4.x86_64
libipa_hbac-1.9.2-82.10.el6_4.x86_64
libipa_hbac-python-1.9.2-82.10.el6_4.x86_64
ipa-python-3.0.0-26.el6_4.4.x86_64
ipa-server-3.0.0-26.el6_4.4.x86_64
#
I've found these instructions:
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal. I've read
those instructions, and I believe I may have a misconception about
this process. The procedure calls to:
# cp /root/ipa.crt /usr/share/ipa/html/ca.crt
# cp /root/ipa.crt /etc/ipa/ca.crt
Can you clear up what /root/ipa.crt ought to contain? I assume it
ought to contain *only* the root CA certificate which is the *first*
key in the bundle provided by the 3rd party Certificate Authority. Is
that correct?
The files /etc/ip/ca.crt already exists, but it is a single
certificate. The file I have, issued alongside with the certificate by
GoDaddy, is a CA bundle. It contains 3 public keys in sequence in a
single file. Could you please be more detailed as to how to accomplish
this: "you need to import the CA certificate to NSS databases at
/etc/dirsrv/slapd-DIRSRV_REDACTED, /etc/httpd/alias and
/etc/pki/nssdb, copy it to /etc/ipa/ca.crt and
/usr/share/ipa/html/ca.crt and update
cn=CAcert,cn=ipa,cn=etc,dc=example,dc=com in LDAP with it."
I certainly hope these are not inappropriate questions: I'd just like
to ensure this is done correctly. Thank you.
---
Dragan Prostran
On Fri, Oct 24, 2014 at 6:12 AM, Jan Cholasta wrote:
> Hi,
>
> Dne 24.10.2014 v 04:36 Dragan Prostran napsal(a):
>
>> Hello,
>>
>> This is my first time posting to this list, so if I've made a faux pas
>> or mistake, please do correct me.
>>
>> Can anyone please point me to the correct method to renewing 3rd party
>> SSL certificates used by FreeIPA 3.0? I suspect I've not done this
>> correctly.
>>
>> Here is what has worked correctly so far:
>> 1. FreeIPA is installed and configured to work correctly. It uses 3rd
>> party SSL certificates. I have access to the CSR, the certificate, the
>> private key, and the new CA bundle.
>> 2. I have successfully followed these instructions to update the SSL
>> certificates used by Apache to serve the FreeIPA web interface:
>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP.
>> Of note is that there are 2 IPA servers, and the procedure has been
>> followed on both.
>> 3. Upon visiting the FreeIPA web interface, I can see that the
>> certificate is valid, and expires in the future. Login to FreeIPA and
>> modifying (for example) an LDAP password, work correctly.
>> 4. 3rd party services that take advantage of LDAP work correctly. I
>> can login and authenticate via LDAP.
>>
>> Here is what does not work correctly:
>> 1. A distinct, 3rd party webservice that takes advantage of LDAP *via
>> SSL* no longer is able to authenticate. Prior to certificate update
>> mentioned, this did work correctly. I must admit I'm unfamiliar with
>> LDAP (via SSL), and so instead of troubleshooting that service, I had
>> a closer look at the FreeIPA instance.
>
>
> The 3rd party webservice needs to trust the CA certificate of the LDAP
> server certificate in order for this to work.
>
>> 2. When connected to the FreeIPA instance, and issuing 'ipa
>> user-status username', the following error is returned:
>>
>> ipa: ERROR: cert validation failed for "CN=CERT_CN_REDACTED,OU=Domain
>> Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
>> issuer has been marked as not trusted by the user.)
>> ipa: ERROR: cert validation failed for "CN=CERT_CN_REDACTED,OU=Domain
>> Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
>> issuer has been marked as not trusted by the user.)
>> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
>> domain='ipa', localedir=None): https://IPA1_FQDN_REDACTED/ipa/xml,
>> https://IPA2_FQDN_REDACTED/ipa/xml
>>
>> Note that, CERT_CN_REDACTED is the *.domain.tld cert that has