Also when I run ipa-certupdate trying https://identity.ashlex.com/ipa/session/json [try 1]: Forwarding 'schema' to json server 'https://identity.ashlex.com/ipa/session/json' Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638945): Ticket not yet valid The ipa-certupdate command failed.

_______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

Florence Thank you so much I really appreciated your help. I already did that creating a new ticket using "kinit admin" and it accepts the password, But when I apply ipa-certupdate it returns "ipa: ERROR: Insufficient access: Invalid credentials" Even the DM password is correct. Second, The certificate created almost a month after. is there a solution for that

Hi Rob -  Do you have any instructions on manually doing this?  I asked a similar question a while ago (and excuses aside) but I haven’t responded back with the requested info.  The http cert was updated but I can’t seem to get the 389-ds certificate to update as well.

On January 26, 2021 at 10:17:08 AM, Rob Crittenden via FreeIPA-users (freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>) wrote: > Ahmed ElShafaie via FreeIPA-users wrote: > > Florence > > Thank you so much I really appreciated your help. > > I already did that creating a new ticket using "kinit admin" and it accepts the password, But when I apply ipa-certupdate it returns > > "ipa: ERROR: Insufficient access: Invalid credentials" > > > > Even the DM password is correct. > > > > Second, The certificate created almost a month after. is there a solution for that > > Are these renewed certificates from the same issuer using the same > private key? Is the CA chain the same? Is this both the Apache and the > 389-ds certificate? > > If so then it should be fairly straightforward to manually replace the > certificates. > > rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

Hi Rob -  The chain should be the same.  I’m using a LetsEncrypt certificate and have previously had it added but I lapsed in renewing it and now when I attempt to update the cert for LDAP it just complains about the peer certificate expired.  Instead of renewing - I end up regenerating a new certificate so hopefully I won’t make a bigger mess of things.  

Thanks again. Sinh On January 26, 2021 at 12:02:26 PM, Rob Crittenden (rcritten(a)redhat.com <mailto:rcritten@redhat.com>) wrote: > Sinh Lam via FreeIPA-users wrote: > > Hi Rob -  > > > > Do you have any instructions on manually doing this?  I asked a similar > > question a while ago (and excuses aside) but I haven’t responded back > > with the requested info.  The http cert was updated but I can’t seem to > > get the 389-ds certificate to update as well. > > Assuming the new certificate is from the existing private key and the CA > chaining hasn't changed then all that needs to happen is to install the > updated certificate. To do so: > > # systemctl stop dirsrv.target > # grep nsSSLPersonalitySSL /etc/dirsrv/slapd-REALM/dse.ldif > nsSSLPersonalitySSL: SOMETHING > <make a backup/copy of /etc/dirsrv/slapd-REALM/*.db> > # certutil -A -d /etc/dirsrv/slapd-REALM -n SOMETHING -t u,u,u -a -i > /path/to/certificate.pem > # systemctl start dirsrv.target > > Similarly for the Apache cert stop Apache, backup the cert, copy the new > one, restart. The cert is stored as a PEM in /var/lib/ipa/certs/httpd.crt > > Let me stress again that doing this without ensuring that the private > key and the chaining hasn't changed will only make things worse. > > rob > > > > > > > > > On January 26, 2021 at 10:17:08 AM, Rob Crittenden via FreeIPA-users > > (freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>) wrote: > > > >> Ahmed ElShafaie via FreeIPA-users wrote: > >> > Florence > >> > Thank you so much I really appreciated your help. > >> > I already did that creating a new ticket using "kinit admin" and it accepts the password, But when I apply ipa-certupdate it returns > >> > "ipa: ERROR: Insufficient access: Invalid credentials" > >> > > >> > Even the DM password is correct. > >> > > >> > Second, The certificate created almost a month after. is there a solution for that > >> > >> Are these renewed certificates from the same issuer using the same > >> private key? Is the CA chain the same? Is this both the Apache and the > >> 389-ds certificate? > >> > >> If so then it should be fairly straightforward to manually replace the > >> certificates. > >> > >> rob > >> _______________________________________________ > >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > >> To unsubscribe send an email to > >> freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > >> <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > >> Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

I haven’t had the chance to try this out.  My plan was to spin up a backup of the current server and try these settings there and go from there.  The less chance that I’ll need to re-do everything going that route.

On January 28, 2021 at 10:59:15 AM, Rob Crittenden (rcritten(a)redhat.com <mailto:rcritten@redhat.com>) wrote: > Sinh Lam via FreeIPA-users wrote: > > Hi Rob -  > > > > The chain should be the same.  I’m using a LetsEncrypt certificate and > > have previously had it added but I lapsed in renewing it and now when I > > attempt to update the cert for LDAP it just complains about the peer > > certificate expired.  Instead of renewing - I end up regenerating a new > > certificate so hopefully I won’t make a bigger mess of things.   > > So you're good then with the new cert? > > Note that LE *did* recently change their chaining, so be aware of that. > > rob > > > > > Thanks again. > > > > Sinh > > > > > > > > On January 26, 2021 at 12:02:26 PM, Rob Crittenden (rcritten(a)redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>) wrote: > > > >> Sinh Lam via FreeIPA-users wrote: > >> > Hi Rob -  > >> > > >> > Do you have any instructions on manually doing this?  I asked a similar > >> > question a while ago (and excuses aside) but I haven’t responded back > >> > with the requested info.  The http cert was updated but I can’t seem to > >> > get the 389-ds certificate to update as well. > >> > >> Assuming the new certificate is from the existing private key and the CA > >> chaining hasn't changed then all that needs to happen is to install the > >> updated certificate. To do so: > >> > >> # systemctl stop dirsrv.target > >> # grep nsSSLPersonalitySSL /etc/dirsrv/slapd-REALM/dse.ldif > >> nsSSLPersonalitySSL: SOMETHING > >> <make a backup/copy of /etc/dirsrv/slapd-REALM/*.db> > >> # certutil -A -d /etc/dirsrv/slapd-REALM -n SOMETHING -t u,u,u -a -i > >> /path/to/certificate.pem > >> # systemctl start dirsrv.target > >> > >> Similarly for the Apache cert stop Apache, backup the cert, copy the new > >> one, restart. The cert is stored as a PEM in /var/lib/ipa/certs/httpd.crt > >> > >> Let me stress again that doing this without ensuring that the private > >> key and the chaining hasn't changed will only make things worse. > >> > >> rob > >> > >> > > >> > > >> > > >> > On January 26, 2021 at 10:17:08 AM, Rob Crittenden via FreeIPA-users > >> > (freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > >> > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>>) wrote: > >> > > >> >> Ahmed ElShafaie via FreeIPA-users wrote: > >> >> > Florence > >> >> > Thank you so much I really appreciated your help. > >> >> > I already did that creating a new ticket using "kinit admin" and it accepts the password, But when I apply ipa-certupdate it returns > >> >> > "ipa: ERROR: Insufficient access: Invalid credentials" > >> >> > > >> >> > Even the DM password is correct. > >> >> > > >> >> > Second, The certificate created almost a month after. is there a solution for that > >> >> > >> >> Are these renewed certificates from the same issuer using the same > >> >> private key? Is the CA chain the same? Is this both the Apache and the > >> >> 389-ds certificate? > >> >> > >> >> If so then it should be fairly straightforward to manually replace the > >> >> certificates. > >> >> > >> >> rob > >> >> _______________________________________________ > >> >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > >> >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>> > >> >> To unsubscribe send an email to > >> >> freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > >> <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > >> >> <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > >> <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > >> >> Fedora Code of Conduct: > >> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> >> List Archives: > >> >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > >> > >> > > >> > _______________________________________________ > >> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > >> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > >> <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > >> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > >> > >> > > >> > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...