You say it was running with the self signed IPA CA and than GoDaddy cert
was added to the bundle. How was it added?
IPA does not use certs for communication between the instances. It uses
Kerberos. I am not sure the DoDaddy cert you added is even used in some
way by IPA.
It seems that your GoDaddy cert is an orthogonal trust so if you
replaced the main key pair then you just need to distribute your new
GoDaddy cert to the clients as you did on the first place.

This environment is over 350 servers, many of which are in production so I may have to wait a bit for change management approval to attempt to resolve this issue, particularly if you think it might break something.  I will keep you updated on my progress. Thank you much.

From: sipazzo <***@yahoo.com>
To: Rob Crittenden <***@redhat.com>
Cc: "freeipa-***@redhat.com" <freeipa-***@redhat.com>
Sent: Friday, March 13, 2015 9:21 AM
Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers





-----Original Message-----
From: freeipa-users-***@redhat.com [mailto:freeipa-users-***@redhat.com] On Behalf Of Rob Crittenden
Sent: Thursday, March 12, 2015 1:52 PM
To: sipazzo; freeipa-***@redhat.com
Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers
To be clear, all IPA servers are masters, some just run more services than others. It sounds like you have at least one CA available which should be sufficient.
Ok. I guess the place to start is to get certs for Apache and 389-ds, then we can see about using these new certs.

In the thread you showed that the IPA 389-ds doesn't have a Server-Cert nickname. You'll want to do the same for /etc/httpd/alias before running the following commands otherwise you could end up with non-functional server.

These should get IPA certs for 389-ds and Apache. You'll need to edit these commands to match your environment:

# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd
-N CN=ipa.example.com -K HTTP/***@EXAMPLE.COM

# ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -p /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM' -N CN=ipa.example.com -K ldap/***@EXAMPLE.COM

I'd do them one at a time and wait until the cert is issued and tracked.
This will restart both Apache and 389-ds but it shouldn't affect operation because the certs won't be used yet.

You then need to get the old CA cert and put it into the right places.
Since it is already in the PKI-IPA NSS database let's fetch it from there. For giggles you should probably save whatever the contents of /etc/ipa/ca.crt are before-hand.

# certutil -L -d /etc/dirsrv/slapd-PKI-IPA -n 'IPADOMAIN.COM IPA CA' -a
Now add that to the Apache and 389-ds databases:

# certutil -A -n 'IPADOMAIN.COM IPA CA' -d /etc/httpd/alias -t CT,C, -a -i /etc/ipa/ca.crt # certutil -A -n 'IPADOMAIN.COM IPA CA' -d /etc/dirsrv/slapd-EXAMPLE-COM -t CT,, -a -i /etc/ipa/ca.crt

Next add it to /etc/pki/nssdb if it isn't already there:

# certutil -A -n 'IPA CA' -d /etc/pki/nssdb -t CT,C,C -a -i /etc/ipa/ca.crt

Next, verify that the newly issued certs are trusted:

# certutil -V -u V -n Server-Cert -d /etc/httpd/alias # certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM

Both should return:
certutil: certificate is valid

Next is to configure the services to use the new certs. I'd stop IPA to do this: ipactl stop

Edit /etc/httpd/conf.d/nss.conf and change the NSSNickname to Server-Cert

Edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif and set nsSSLPersonalitySSL to Server-Cert

Now try to start the world: ipactl start

Run a few commands:

# ipa user-show admin
# ipa cert-show 1

Both should work.

Assuming all has gone well to this point, copy /etc/ipa/ca.crt to /usr/share/ipa/html/ca.crt

Finally run: ipa-ldap-updater --upgrade

This should load the new CA certificate into LDAP.

This has the potential to break a whole bunch of your clients. It is probably enough to just copy over the new CA cert to the right
location(s) on the clients. The mechanics of this depend on the OS.
No, has nothing to do with the CA at all. The client doesn't have (or
trust) the CA that issued the LDAP server cert.

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Rob, thank you,you have been so helpful. This appears to have worked in my sandbox environment. I was able to get the new certs for the directory server and apache, stop tracking and remove the old Go Daddy certs, put my original CA certs in the correct locations and import into the databases, then configure the services to use them. I am going to move some clients into sandbox next week(we have rhel5, 6 and SOlaris)and see how they handle the new config before rolling out to prod environment and other ipa servers.

Thank you for everything.
--------------------------------------------
On Wed, 3/25/15, Rob Crittenden <***@redhat.com> wrote:

Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers
To: "sipazzo" <***@yahoo.com>, "freeipa-***@redhat.com" <freeipa-***@redhat.com>
Date: Wednesday, March 25, 2015, 2:43 PM
environment up to test the cert
replacement. When I ran this stepgot to the cert request
/etc/dirsrv/slapd-IPADOMAIN-COM -n Server-Cert -p
/etc/dirsrv/slapd-IPADOMAIN-COM/pwdfile.txt -C
'/usr/lib64/ipa/certmonger/restart_dirsrv
IPADOMAIN-COM' -N
saying the cert at same location is already used by
"20140729215511" , same when I ran it for
but when I get to this step:

You need to tell certmonger to stop tracking
the existing GoDaddy certs,
not that they
would have been renewable anyway.

You may also need to remove them from the NSS
database(s) using
something like:

# certutil -D -n
'nickname' -d /path/to/db

I think the subject will be different enough
that it may be ok as-is.

The other errors are due to the fact that no
certificate was issued.

rob
/etc/dirsrv/slapd-EXAMPLE-COM
certutil: could not find certificate named
"Server-Cert":
PR_FILE_NOT_FOUND_ERROR: File not found
/etc/dirsrv/slapd-IPADOMAIN-COM/,
returns this:
Certificate Nickname                         
               Trust
Attributes
                                     
   
                                       
      CT,C,C
                                   
CT,,
                                 
   u,u,u
Dogtag cert is now listed whereas it was not
------------------------------------------------------------------------
replace cert for ipa servers
of which are in production so
have to wait a bit for change management approval to attempt
to
you think it might break something.
will keep you updated on my progress. Thank you much.
------------------------------------------------------------------------
replace cert for ipa servers
On Behalf Of Rob Crittenden
Thursday, March 12, 2015 1:52 PM
replace cert for ipa servers
do have other CAs (just not the master but it is available
offline
needed)
clear, all IPA servers are masters, some just run more
services
you have at least one CA available which
can get to the gui ipa
works
the place to start is to get certs for Apache and 389-ds,
certs.
thread you showed that the IPA 389-ds doesn't have a
Server-Cert
to do the same for /etc/httpd/alias before running
end up with non-functional
certs for 389-ds and Apache. You'll need to edit
ipa-getcert request -d /etc/httpd/alias -n Server-Cert -p
/usr/lib64/ipa/certmonger/restart_httpd
request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert
-p
/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt -C
'/usr/lib64/ipa/certmonger/restart_dirsrv
EXAMPLE-COM' -N
at a time and wait until the cert is issued and tracked.
but it shouldn't affect
because the certs won't be used yet.
the old CA cert and put it into the right places.
database let's fetch it from
For giggles you should probably save whatever the contents
of
/etc/dirsrv/slapd-PKI-IPA -n 'IPADOMAIN.COM IPA CA'
-a
CA' -d /etc/httpd/alias -t CT,C, -a
-i /etc/ipa/ca.crt # certutil -A -n 'IPADOMAIN.COM IPA
CA' -d
/etc/dirsrv/slapd-EXAMPLE-COM -t CT,, -a -i
/etc/ipa/ca.crt
Next add it to /etc/pki/nssdb if it isn't already
-A -n 'IPA CA' -d /etc/pki/nssdb -t CT,C,C -a -i
/etc/ipa/ca.crt
-n Server-Cert -d /etc/httpd/alias # certutil -V -u V
/etc/dirsrv/slapd-EXAMPLE-COM
certutil: certificate is valid
the new certs. I'd stop IPA to
this: ipactl stop
Edit /etc/httpd/conf.d/nss.conf and change the NSSNickname
to Server-Cert
Edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif and set
nsSSLPersonalitySSL
world: ipactl start
copy /etc/ipa/ca.crt to
/usr/share/ipa/html/ca.crt
new CA certificate into LDAP.
bunch of your clients. It is
enough to just copy over the new CA cert to the right
of this depend on the OS.
in certs between slapd-PKI-CA
slapd-NETWORKFLEET-COM?
The client doesn't have (or
the CA that issued the LDAP server cert.
Message-----
On Behalf Of Rob Crittenden
Wednesday, March 11, 2015 7:20 PM
replace cert for ipa servers
was probably not helpful. This is
ipa2-corp.networkfleet.com (realm EXAMPLE.COM) is an
with:
ldap://ipa2-corp.networkfleet.com:389
error -8179:Peer's Certificate issuer
ipa1-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA
ldap://ipa1-xo.networkfleet.com:389
error -8179:Peer's Certificate issuer
ipa1-io.networkfleet.com (realm EXAMPLE.COM) is an IPA
ldap://ipa1-io.networkfleet.com:389
error -8179:Peer's Certificate issuer
ipa2-io.networkfleet.com (realm EXAMPLE.COM) is an IPA
ldap://ipa2-io.networkfleet.com:389
error -8179:Peer's Certificate issuer
ipa2-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA
ldap://ipa2-xo.networkfleet.com:389
error -8179:Peer's Certificate issuer
certificates are very confusing to me. I don't
understand how
working when we have a set of GoDaddy certs in
of the Dogtag certs in slapd-PKI-CA.
/usr/share/ipa/html/ca.crt looks like the original one
and matches the ones on the clients.
the original master server that
signed all these certs was taken offline months ago due to
some
still have access to it if necessary.
far as why the godaddy certs were swapped out for the Dogtag
certs
something as simple as the untrusted
accessing the ipa gui. I did not swap out
what happened. There is no real
need to use the GoDaddy certs as far as I am concerned. I
just want
the issues I am seeing as I am in kind of a bind
revoked and needing to be replaced and
server offline. We have a mixed
environment with Rhel 5, 6 and Solaris clients so are not
using sssd
know this is asking a lot but appreciate any help you can
give.
is the current state of things? Does your IPA Apache server
work?
you have a working IPA CA?
is yes to all then we should be able to generate new
project
the project