I haven’t had the chance to try this out. My plan was to spin up a backup
of the current server and try these settings there and go from there. The
less chance that I’ll need to re-do everything going that route.
On January 28, 2021 at 10:59:15 AM, Rob Crittenden (rcritten(a)redhat.com)
wrote:
Sinh Lam via FreeIPA-users wrote:
Hi Rob -
The chain should be the same. I’m using a LetsEncrypt certificate and
have previously had it added but I lapsed in renewing it and now when I
attempt to update the cert for LDAP it just complains about the peer
certificate expired. Instead of renewing - I end up regenerating a new
certificate so hopefully I won’t make a bigger mess of things.
So you're good then with the new cert?
Note that LE *did* recently change their chaining, so be aware of that.
rob
Thanks again.
Sinh
On January 26, 2021 at 12:02:26 PM, Rob Crittenden (rcritten(a)redhat.com
<mailto:rcritten@redhat.com>) wrote:
> Sinh Lam via FreeIPA-users wrote:
> > Hi Rob -
>
> > Do you have any instructions on manually doing this?
I asked a
similar
> > question a while ago (and excuses aside) but I haven’t
responded back
> > with the requested info. The http cert was updated but I can’t seem
to
> > get the 389-ds certificate to update as well.
> Assuming the new certificate is from the existing private
key and the CA
> chaining hasn't changed then all that needs to happen is to install the
> updated certificate. To do so:
> # systemctl stop dirsrv.target
> # grep nsSSLPersonalitySSL /etc/dirsrv/slapd-REALM/dse.ldif
> nsSSLPersonalitySSL: SOMETHING
> <make a backup/copy of /etc/dirsrv/slapd-REALM/*.db
> #
certutil -A -d /etc/dirsrv/slapd-REALM -n SOMETHING -t u,u,u -a -i
> /path/to/certificate.pem
> # systemctl start dirsrv.target
> Similarly for the Apache cert stop Apache, backup the
cert, copy the new
> one, restart. The cert is stored as a PEM in
/var/lib/ipa/certs/httpd.crt
> Let me stress again that doing
this without ensuring that the private
> key and the chaining hasn't changed will only make things worse.
> rob
>
>
>
> > On January 26, 2021 at 10:17:08 AM, Rob Crittenden
via FreeIPA-users
> > (freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org
> >
<mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>) wrote:
>
> >> Ahmed ElShafaie via FreeIPA-users wrote:
> >> > Florence
> >> > Thank you so much I really appreciated your help.
> >> > I already did that creating a new ticket using "kinit admin"
and it
accepts the password, But when I apply ipa-certupdate it returns
> >> > "ipa: ERROR: Insufficient access: Invalid
credentials"
> >>
> >> > Even the DM
password is correct.
> >>
> >> > Second, The
certificate created almost a month after. is there a
solution for that
> >
> >> Are these renewed
certificates from the same issuer using the same
> >> private key? Is the CA chain the same? Is this both the Apache and
the
> >> 389-ds certificate?
> >
> >> If so then it should
be fairly straightforward to manually replace
the
> >> certificates.
> >
> >> rob
> >> _______________________________________________
> >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org
>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>
>> To unsubscribe send an email to
> >> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org
>
>> <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> >> Fedora Code of Conduct:
> >>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> >>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> >
_______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org
> >
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...