I’ve installed ipa. Originally I did the default install, without DNS.
I then updated to a commercial cert. Notes at the end.
I just did a yum update. isa-upgrade failed with the following error:
017-07-12T19:23:39Z DEBUG stderr= 2017-07-12T19:23:44Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2017-07-12T19:23:45Z DEBUG Starting external process 2017-07-12T19:23:45Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L -n Server-Cert -a 2017-07-12T19:23:45Z DEBUG Process finished, return code=255 2017-07-12T19:23:45Z DEBUG stdout= 2017-07-12T19:23:45Z DEBUG stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
When I do /usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L I find that there is no Server-Cert alias. Instead
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE C,, CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US C,, CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US C,, ipaCert u,u,u CS.RUTGERS.EDU IPA CA CT,C,C CN=krb2.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US u,u,u
Any idea how to fix this? Can I safely rename the last entry to be Server-Cert? Can I safely run isa-server-upgrade again to make sure it works?
I have a replicate. Upgrade for it worked fine, but CA services aren’t installed on it.
—————— upgrading to commercial cert:
When you set up IPA it will generate its own certificate. It will be used for both ldap and http. A CA cert goes into /etc/ipa/ca.cert. In the long run you want to use a commercial certificate. I got back from the certificate people a key, a cert, and a CA chain. Installing them was a hair-raising experience. Note that on the backup, the intermediates are already there, because they're copied from the primary. Hence you can go directly to ipa-server-certinstall. This is probably true for renewal as well. • Before you can install the actual cert, you need to install all the CA certificates for the chain. • Take apart the intermediate certificates. If you look at the file you'll see it has 3 obvious sections. • Use openssl x509 --in FILE --text to look at them • Starting at the top level, install each one using ipa-cacert-manage -p PASSWORD -n NICKNAME -t C,, install FILE ; PASSWORD is the admin password for the system. ; NICKNAME is a word you pick to identify the CA. ; FILE is the file with the data
• ipa-certupdate ; this actually updates the CA database with the new certs • ipa-server-certinstall -w -d mysite.key mysite.crt, i.e. the files with the key and the actual cert for this system • systemctl restart httpd.service This will probably fail. In /etc/httpd/conf.d/nss.conf, it adds a line like NSSNickname "CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New Jersey",STREET=43 College Avenue,STREET=\ Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US"
Unfortunately this is a syntax error. To fix it, add \ before the "'s inside the string. Make sure you can restart httpd.service cleanly. I do *not* recommend rebooting the system until that's fixed. Now systemctl restart dirsrv@CS-RUTGERS-EDU.service
I probably should have said: this is IPA 4.4 on Centos 7.
On Jul 13, 2017, at 11:02 AM, Charles Hedrick via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I’ve installed ipa. Originally I did the default install, without DNS.
I then updated to a commercial cert. Notes at the end.
I just did a yum update. isa-upgrade failed with the following error:
017-07-12T19:23:39Z DEBUG stderr= 2017-07-12T19:23:44Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2017-07-12T19:23:45Z DEBUG Starting external process 2017-07-12T19:23:45Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L -n Server-Cert -a 2017-07-12T19:23:45Z DEBUG Process finished, return code=255 2017-07-12T19:23:45Z DEBUG stdout= 2017-07-12T19:23:45Z DEBUG stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
When I do /usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L I find that there is no Server-Cert alias. Instead
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE C,, CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US C,, CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US C,, ipaCert u,u,u CS.RUTGERS.EDU IPA CA CT,C,C CN=krb2.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US u,u,u
Any idea how to fix this? Can I safely rename the last entry to be Server-Cert? Can I safely run isa-server-upgrade again to make sure it works?
I have a replicate. Upgrade for it worked fine, but CA services aren’t installed on it.
—————— upgrading to commercial cert:
When you set up IPA it will generate its own certificate. It will be used for both ldap and http. A CA cert goes into /etc/ipa/ca.cert. In the long run you want to use a commercial certificate. I got back from the certificate people a key, a cert, and a CA chain. Installing them was a hair-raising experience. Note that on the backup, the intermediates are already there, because they're copied from the primary. Hence you can go directly to ipa-server-certinstall. This is probably true for renewal as well. • Before you can install the actual cert, you need to install all the CA certificates for the chain. • Take apart the intermediate certificates. If you look at the file you'll see it has 3 obvious sections. • Use openssl x509 --in FILE --text to look at them • Starting at the top level, install each one using ipa-cacert-manage -p PASSWORD -n NICKNAME -t C,, install FILE ; PASSWORD is the admin password for the system. ; NICKNAME is a word you pick to identify the CA. ; FILE is the file with the data
• ipa-certupdate ; this actually updates the CA database with the new certs • ipa-server-certinstall -w -d mysite.key mysite.crt, i.e. the files with the key and the actual cert for this system • systemctl restart httpd.service This will probably fail. In /etc/httpd/conf.d/nss.conf, it adds a line like NSSNickname "CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New Jersey",STREET=43 College Avenue,STREET=\ Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US"
Unfortunately this is a syntax error. To fix it, add \ before the "'s inside the string. Make sure you can restart httpd.service cleanly. I do *not* recommend rebooting the system until that's fixed. Now systemctl restart dirsrv@CS-RUTGERS-EDU.service
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Thu, Jul 13, 2017 at 03:02:02PM +0000, Charles Hedrick via FreeIPA-users wrote:
I’ve installed ipa. Originally I did the default install, without DNS.
I then updated to a commercial cert. Notes at the end.
I just did a yum update. isa-upgrade failed with the following error:
017-07-12T19:23:39Z DEBUG stderr= 2017-07-12T19:23:44Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2017-07-12T19:23:45Z DEBUG Starting external process 2017-07-12T19:23:45Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L -n Server-Cert -a 2017-07-12T19:23:45Z DEBUG Process finished, return code=255 2017-07-12T19:23:45Z DEBUG stdout= 2017-07-12T19:23:45Z DEBUG stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
When I do /usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L I find that there is no Server-Cert alias. Instead
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE C,, CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US C,, CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US C,, ipaCert u,u,u CS.RUTGERS.EDU IPA CA CT,C,C CN=krb2.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US u,u,u
Any idea how to fix this? Can I safely rename the last entry to be Server-Cert? Can I safely run isa-server-upgrade again to make sure it works?
It does look like something in ipa-server-upgrade is looking for cert with nickname 'Server-Cert' and not finding it, causing the failure.
I don't think certutil offers a way to "rename" a certificate+key but you can certainly export it, delete it, then re-import it with the desired nickname. Then you will need to update 389DS to use the new nickname, and you should be good to go.
Meanwhile, would you raise a ticket about ipa-server-upgrade looking for 'Server-Cert' while the actual server cert nickname may be different?
Thanks, Fraser
I have a replicate. Upgrade for it worked fine, but CA services aren’t installed on it.
—————— upgrading to commercial cert:
When you set up IPA it will generate its own certificate. It will be used for both ldap and http. A CA cert goes into /etc/ipa/ca.cert. In the long run you want to use a commercial certificate. I got back from the certificate people a key, a cert, and a CA chain. Installing them was a hair-raising experience. Note that on the backup, the intermediates are already there, because they're copied from the primary. Hence you can go directly to ipa-server-certinstall. This is probably true for renewal as well. • Before you can install the actual cert, you need to install all the CA certificates for the chain. • Take apart the intermediate certificates. If you look at the file you'll see it has 3 obvious sections. • Use openssl x509 --in FILE --text to look at them • Starting at the top level, install each one using ipa-cacert-manage -p PASSWORD -n NICKNAME -t C,, install FILE ; PASSWORD is the admin password for the system. ; NICKNAME is a word you pick to identify the CA. ; FILE is the file with the data
• ipa-certupdate ; this actually updates the CA database with the new certs • ipa-server-certinstall -w -d mysite.key mysite.crt, i.e. the files with the key and the actual cert for this system • systemctl restart httpd.service This will probably fail. In /etc/httpd/conf.d/nss.conf, it adds a line like NSSNickname "CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New Jersey",STREET=43 College Avenue,STREET=\ Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US"
Unfortunately this is a syntax error. To fix it, add \ before the "'s inside the string. Make sure you can restart httpd.service cleanly. I do *not* recommend rebooting the system until that's fixed. Now systemctl restart dirsrv@CS-RUTGERS-EDU.service
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fraser Tweedale via FreeIPA-users wrote:
On Thu, Jul 13, 2017 at 03:02:02PM +0000, Charles Hedrick via FreeIPA-users wrote:
I’ve installed ipa. Originally I did the default install, without DNS.
I then updated to a commercial cert. Notes at the end.
I just did a yum update. isa-upgrade failed with the following error:
017-07-12T19:23:39Z DEBUG stderr= 2017-07-12T19:23:44Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2017-07-12T19:23:45Z DEBUG Starting external process 2017-07-12T19:23:45Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L -n Server-Cert -a 2017-07-12T19:23:45Z DEBUG Process finished, return code=255 2017-07-12T19:23:45Z DEBUG stdout= 2017-07-12T19:23:45Z DEBUG stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
When I do /usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L I find that there is no Server-Cert alias. Instead
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE C,, CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US C,, CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US C,, ipaCert u,u,u CS.RUTGERS.EDU IPA CA CT,C,C CN=krb2.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US u,u,u
Any idea how to fix this? Can I safely rename the last entry to be Server-Cert? Can I safely run isa-server-upgrade again to make sure it works?
It does look like something in ipa-server-upgrade is looking for cert with nickname 'Server-Cert' and not finding it, causing the failure.
I don't think certutil offers a way to "rename" a certificate+key but you can certainly export it, delete it, then re-import it with the desired nickname. Then you will need to update 389DS to use the new nickname, and you should be good to go.
Meanwhile, would you raise a ticket about ipa-server-upgrade looking for 'Server-Cert' while the actual server cert nickname may be different?
That could work.
I'd like to see more of the upgrade log though to see where exactly it failed. IIRC it checks the CA cert chain which is where things may be failing but I don't recall seeing this before.
Knowing the current and upgraded versions of IPA would be handy too, including the distro.
rob
freeipa-users@lists.fedorahosted.org