Hello!
I'm setting up a RabbitMQ server on our internal network, and I thought
now would be a good time to figure out how to use FreeIPA to issue certs
for services to enable TLS. (Only internal systems with the IPA cert
will access the system.) However, I'm running into a couple of problems.
I'm following the FreeIPA PKI Docs [1] on how to setup an automated cert
request with Certmonger which will put cert renewal on autopilot,
hopefully, and I'm getting stuck on step #6 of the instructions where
I'm supposed to import the IPA `ca.crt` into the nssdb which was created
for RabbitMQ.
Command and results of step #6:
```
[me(a)rabbitserver.sub.domain.tld]# certutil -A -d /etc/rabbitmq/nssdb -n
'SUB.DOMAIN.TLD IPA CA' -t CT,, -a < /etc/ipa/ca.crt
Enter Password or Pin for "NSS Certificate DB":
```
I don't know what password or pin it would like.
I read something which suggested `/etc/dirsrv/slapd-DOMAIN-TLD/pin.txt`
on the IPA server contained the magic words which would unlock the
database, so I copied the token which is not what certutil wants to
unlock `/etc/ipa/nssdb`.
Example contents of `/etc/ipa/nssdb/pin.txt` on IPA server:
```
Internal (Software) Token:<thispartiswhaticopied>
```
Here are the problems:
1. I don't know the PIN or password for `/etc/ipa/nssdb`.
2. Would like the cert to be auto managed.
3. FreeIPA docs and RHEL docs disagree. [2][3]
IPA Server:
* CentOS 7
* ipa-server: 4.6.8-5.el7.centos
Rabbit Server:
* CentOS Stream 8
* ipa-client: 4.9.0-1.module_el8.4.0+635+535c2b80
Ryan
1:
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Cert...
2:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
3:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...