On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden <rcritten@redhat.com> wrote:

Omar wrote:
> roger that. I thought about doing the:
> ipa-cacert-manager, but that would be wrong, correct?

Correct, assuming your updated cert is from the same CA.

>
> if I do the ipa-server-certinstall, do I need to specify either -d / -w
> / or -k? Thanks,

You want -d (directory server)

rob

>
> On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Omar via FreeIPA-users wrote:
> > okay, so I think you found the issue:
> >
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> > Not Before: Fri Jan 06 19:36:22 2023
> > Not After : Sat Jan 06 19:36:22 2024
> >
> > Where's the actual location of the server certificate? Thanks,
>
> It is stored in the NSS database at /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
>
> You should be able to use ipa-server-certinstall to add a renewed
> certificate in a similar way that this one was added.
>
> rob
>
> >
> >
> > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud
> <flo@redhat.com <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote:
> >
> > Hi,
> >
> > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> > <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
> >
> > [root @ ldap01]
> > $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt |
> > grep Not
> >    Not Before: Jan 12 15:30:18 2024 GMT
> >    Not After : Jan 11 15:30:18 2025 GMT
> >
> > So httpd server cert is still valid.
> >
> >
> > also, am I looking at the correct one here?:
> > [root @ ldap01]
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
> >
> > Certificate Nickname
> >   Trust Attributes
> >
> >   SSL,S/MIME,JAR/XPI
> >
> > APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
> <http://APP.UAAP.MAXAR.COM> IPA CA
> >    CT,C,C
> >
> > ^^ this one is IPA CA, not the server certificate for LDAP.
> >
> > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
>    C,,
> > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
>    C,,
> > CN=Maxar Policy CA East,DC=Maxar,DC=com
>    C,,
> > CN=Maxar Policy CA West,DC=Maxar,DC=com
>    C,,
> > CN=Maxar Root CA,CN=Maxar,CN=com
>    C,,
> > CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US u,u,u
> >
> > [root @ ldap01]
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > 'APP.UAAP.MAXAR.COM <http://APP.UAAP.MAXAR.COM>
> <http://APP.UAAP.MAXAR.COM> IPA CA' | grep Not
> >    Not Before: Thu Feb 02 14:06:44 2023
> >    Not After : Mon Feb 02 14:06:44 2043
> >
> > Based on the nicknames, I would check
> 'CN=ldap.app.uaap.maxar.com <http://ldap.app.uaap.maxar.com>
> > <http://ldap.app.uaap.maxar.com>,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
> name in
> > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored
> in the
> > entry cn=RSA,cn=encryption,cn=configin the attribute
> > nsSSLPersonalitySSL.
> > For instance in my server I have:
> >
> > dn: cn=RSA,cn=encryption,cn=config
> > cn: RSA
> > modifiersName: cn=Directory Manager
> > modifyTimestamp: 20220121155703Z
> > nsSSLActivation: on
> > *nsSSLPersonalitySSL: Server-Cert*
> > nsSSLToken: internal (software)
> > objectClass: top
> > objectClass: nsEncryptionModule
> >
> > HTH,
> > flo
> >
> >
> > --
> > _______________________________________________
> > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > To unsubscribe send an email to
> > freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
>   https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam, report it:
> > https://pagure.io/fedora-infrastructure/new_issue
> >
> >
> > --
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> >
>