Greetings. Like many, I had to track down and remove certs that expired on May 30. I inherited a freeIPA cluster of 3 machines, and have been working on the first. But I am having problems obtaining and applying replacement certs. Here is the scenario:
* In March 2019, a senior engineer applied a chain of certs. He was transitioning from self-signed certs to valid external certs. This included a CAroot and two intermediates. His final concerns were "AddTrustExternalCARoot" and USERTrustRSAAddTrustCA", and an item from inCommon.
* On May 30, the CAroot and one intemediate ("USERTrust") expired. He seemed to have approached a vendor directly for those, but that vendor would not confirm because I am not on their contact list. I had to seek replacements from a school department. (They do not provide support for end-uses like freeIPA.)
* This week, I have been trying to find and remove the SSL certs from the first of the freeIPA systems. I believe I removed them all (using certutil and ldapdelete)
* I have been trying to install certs provided by that department. During the time the expired certs were lingering in some places, I was able to run ipa-certupdate after a "ipa-cacert-manage install" attempt. However, now, after my removal of expired items, I get error "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)"
* The three items provided by the other department don't seem to work. I had taken the steps below. - Since I'm using freeIPA, and prior instructions denoted .crt, I convert each with: openssl x509 -inform PEM -in <certname>.cer -out <certname>.crt
- I had tried to use each option separately: 1) "Certificate only, PEM encoded", 2) "Root/Intermediate(s) only, PEM encoded", and 3) "Intermediate(s)/Root only, PEM encoded" Results were: ipa-cacert-manage install succeeded against #2 ipa-cacert-manage install failed against #3 "Peer's Certificate issuer is not recognized." ipa-server-certinstall failed against #1, "The full certificate chain is not present in <freeipa_server>.crt, <freeipa_server>.crt.key"
- I then tried to substitute another option later in email, "Certificate (w/ chain), PEM encoded." Result was: ipa-server-certinstall failed, "No matching certificate found for private key from <freeipa_server>.crt.key"
Is it possible the certs provided were incomplete, and that I need to track down something somewhere? Or did I misinterpret the use of what was provided? Is there a missing piece to consider? I appreciate any leads.
All:
I realized that multiple items were included in the department submission, and that I needed to break them into separate files. For a root and two intermediates, ipa-cacert-manage install succeeds on each.
However, I still get error on ipa-certupdate: "Connection to https://<freeIPA_server>/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)"
Any thoughts?
Finally got the freeIPA web console up. One key was discovering the chain had to be re-assembled in a file prior to running ipa-server-certinstall. I still can't run "ipa-certupdate" however.
Error: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (39756044): Credential cache is empty The ipa-certupdate command failed.
freeipa-users@lists.fedorahosted.org