On 6/10/20 4:13 PM, Ricardo Mendes via FreeIPA-users wrote:

# certutil -d /etc/pki/pki-tomcat/alias -L

Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u DSTRootCAX3 C,, auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu letsencryptx3 C,, letsencryptx3 C,, ISRGRootCAX1 C,, _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Hi,

ipa-cert-fix man page explicitely states that it cannot renew certificates signed by external CAs:

----- 8< ----- This tool cannot renew certificates signed by external CAs. To install new, externally-signed HTTP, LDAP or KDC certificates, use ipa-server- certinstall(1). ----- >8 -----

In your case, you need to use the ipa-server-certinstall command to replace the expired letsencrypt certs: - change the date on the server to a date when the certificate was still valid - start IPA services (except ntpd/chronyd, otherwise the date will be reset) - use ipa-server-certinstall as described in "Installing Third-Party Certificates for HTTP or LDAP" [1] with the new certificates - set the date back to the real current date

A few additional tips: - when some services fail to start and trigger the shutdown of the whole IPA stack, you can use the --ignore-service-failures option of ipactl: # ipactl start --ignore-service-failures

- ipaCert is not stored any more in the NSS database /etc/httpd/alias, it is now in /var/lib/ipa/ra-agent.{key|pem}

HTH, flo

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...

Ricardo Mendes via FreeIPA-users wrote:

Hi Florence,

Thank you so much for your reply.

I have some questions regarding your instructions.

1. ipactl start --ignore-service-failures doesn't work, it leaves most services down and I must use systemctl to bring them up.

# sudo ipactl restart --ignore-service-failures IPA version error: data needs to be upgraded (expected version '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. CA did not start in 300.0s The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ods-enforcerd Service Stopping ipa-ods-exporter Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ntpd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl

then I have to start manually using the systemctl command I put before.

It's because you are in the middle of an upgrade. You can add --skip-version-check to not do the upgrade until after the certs are renewed.

Also is there a way to use ipactl to start manually a specified service?

No.

2. what procedure should I use to get a ssl.crt?

# find /{etc,home,opt,root,tmp,usr,var} -type f -iname ssl.crt #

ssl.crt is just a generic name, IPA doesn't use it. Each certificate that IPA issues has its own unique name. You'd need to look per-service where the certificate is stored and what is named. The certmonger output will help with this:

# getcert list

Note that this will include the certificates used by the IPA CA.

I think I was using the wrong letsencrypt-freeipa I was using the one here https://github.com/antevens/letsencrypt-freeipa but now I see there's another here https://github.com/freeipa/freeipa-letsencrypt with more recent updates. How do I "replace" them?

These are just two different wrappers around let's encrypt certificates. As long as it can find the key(s) then it should work either way (one uses HTTP and one uses DNS). The real trick is what version(s) of IPA those support and where it is looking for the certificates. The cert locations and storage are different depending on the version of IPA.

rob

Ok so I don't know what happened the server really did take a long time to come up but it did.

Everything looks pretty much the same. The setup-le.sh command I ran that said

The ipa-certupdate command was successful

But I can't see it. I have to start ipa services with --ignore-service-failure and --skip-version-check When I go to web I still see the old expired certificate from May 21st.

I tried to run renew-le and I get this error:

# bash renew-le.sh Error opening Certificate /var/lib/ipa/certs/httpd.crt 140430772283280:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/certs/httpd.crt','r') 140430772283280:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load certificate

Hi Rob,

Again thanks for your reply. So I got went to the commit that lasted from 2017 and re-ran setup-le.sh Output is here:

https://pastebin.com/JAaD4R21

In the end I get this error:

ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140213913461328 ipapython.admintool: INFO: The ipa-certupdate command was successful certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.

If I try renew-le

# bash renew-le.sh certutil: could not find certificate named "Server-Cert": PR_FILE_NOT_FOUND_ERROR: File not found certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.

(btw https://lists.fedoraproject.org is down)

Ricardo Mendes via FreeIPA-users wrote:

Ok so I don't know what happened the server really did take a long time to come up but it did.

Everything looks pretty much the same. The setup-le.sh command I ran that said

...

The ipa-certupdate command was successful

But I can't see it. I have to start ipa services with --ignore-service-failure and --skip-version-check When I go to web I still see the old expired certificate from May 21st.

I tried to run renew-le and I get this error:

# bash renew-le.sh Error opening Certificate /var/lib/ipa/certs/httpd.crt 140430772283280:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/certs/httpd.crt','r') 140430772283280:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load certificate

That's the incompatibilities I mentioned. I think if you pop the top one or two commits off then it will start to work again. Look for a commit that's like "switch to mod_ssl" and pop that off.

rob

Hi Florence,

Thank you for your reply. Rob had pointed me on that direction but now when I try to run the setup-le script with that version I get the following error:

1. ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. 2. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140213913461328 3. ipapython.admintool: INFO: The ipa-certupdate command was successful 4. certutil: Server-Certisneither a key-typenor a nickname nor a key-id: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.

And the correct setup of certificates fails.

Using the freeipa-letsencrypt commit 601f03b before "Move from mod_nss to mod_ssl". Not sure what to do next.

On 11/06/2020 08:31, Florence Blanc-Renaud wrote:

On 6/10/20 8:42 PM, Ricardo Mendes via FreeIPA-users wrote:

...

Hi Rob,

Thanks a lot for your reply.

...

It's because you are in the middle of an upgrade. You can add --skip-version-check to not do the upgrade until after the certs are renewed.

Amazing! So I turned back the clock and:

# ipactl restart --ignore-service-failure --skip-version-check Skipping version check Failed to get service list from file: Unknown error when retrieving list of services from file: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Failed to restart pki-tomcatd Service Forced restart, ignoring pki-tomcatd Service, continuing normal operation Restarting ipa-otpd Service Restarting ipa-ods-exporter Service Restarting ods-enforcerd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful

I did as Florence said and set the time back. Then I imported the github.com/freeipa/freeipa-letsencrypt, edited as necessary and ran setup-le.sh

It shows some errors like, I am including the full output here: https://pastebin.com/S07vqXLy

In the end has this:

ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140667189670224 ipapython.admintool: INFO: The ipa-certupdate command was successful Error opening Private Key /var/lib/ipa/private/httpd.key 139927634605968:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r') 139927634605968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load Private Key

The version of freeipa-letsencrypt that you are using is written for IPA 4.7+, with httpd's private key stored in /var/lib/ipa/private/httpd.key.

From your earlier messages it looks like you're using ipa 4.6, meaning that httpd is configured with mod_nss (ie getting its cert/key from a NSS database) instead of mod_ssl (ie getting its cert/key from a file). In this case you should use an earlier version of freeipa-letsencrypt, before the following commit: cfaf511 Move from mod_nss to mod_ssl

HTH, flo

...

...

These are just two different wrappers around let's encrypt certificates. As long as it can find the key(s) then it should work either way (one uses HTTP and one uses DNS). The real trick is what version(s) of IPA those support and where it is looking for the certificates. The cert locations and storage are different depending on the version of IPA.

I am assuming the script from antevens uses DNS. But how can it not matter if someone is using an up to date version of freeipa and Florence mentioned

...

• ipaCert is not stored any more in the NSS database

/etc/httpd/alias,  it is now in /var/lib/ipa/ra-agent.{key|pem}

So if this has changed and the scripts of that letsencrypt repo haven't been edited in over an year, is it supposed to work? Or is it not compliant with the latest IPA versions?

Btw, after setup-le.sh finished I set the time back and rebooted the server. It seems like now it's not coming up at all ..... I'll have to VNC to it and see what happened.... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...