There was a previous email about this. I suspect what failed was near the end when it was upgrading the CA. As part of that process it looks at the certificates for LDAP and HTTP. It expects the nicknames in the certificate database to be Server-Cert. However the process of installing a 3rd party cert changes the nickname. The fix is to rename them to Server-Cert, and update the config files that refer to them.
Unfortunately certutil’s rename command doesn’t work for the format of certificate database used by ipa, so you have to remove the cert and put it back with the new nickname. Here’s what the process looked like for me: certutil -L -d /etc/httpd/alias -n 'krb1-cert' -a -o ~/krb1.cert certutil -D -d /etc/httpd/alias -n 'krb1-cert' certutil -A -d /etc/httpd/alias -n "Server-Cert" -t u,u,u -i ~/krb1.cert emacs /etc/httpd/conf.d/nss.conf change NSSNickname to Server-Cert certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU/ -L -a -n 'CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US' -o ~/krb1.cert2 certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU/ -D -n 'CN=krb1.cs.rutgers.edu,OU=SAS,O="Rutgers, The State University of New Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New Brunswick,ST=NJ,postalCode=08901,C=US' certutil -A -d /etc/dirsrv/slapd-CS-RUTGERS-EDU/ -n "Server-Cert" -t u,u,u -i ~/krb1.cert2 emacs /etc/dirsrv/slapd-CS-RUTGERS-EDU/dse.ldif change nsSSLPersonalitySSL to Server-Cert Also, if you’re not using the originally generated certs, removing the process that wold update them: getcert list -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -n Server-Cert ; find requestid 20171002175930 in output getcert stop-tracking -i 20171002175930 getcert list -d /etc/httpd/alias/ -n Server-Cert getcert stop-tracking -i 20171002175931 A couple of unexpected things happened during this process, but they are probably specific to my system. I had to fixup permissions in /etc/httpd/alias for some reason. > On Oct 11, 2017, at 12:50 PM, Mark Haney via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > I just tried to upgrade one of our IPA servers to 4.5.0 (from 4.4.0) on C7 > (along with updating C7 to 7.4) and it bombed spectacularly. It seems the > upgrade process doesn't like the GoDaddy SSL cert we supplied for HTTPS only. > Is there documentation explaining the process with an HTTPS only SSL cert > for IPA? The last time we tried to set this up it was two weeks worth of > headaches before we managed to get it working (and I didn't do it, so it > wasn't documented), I mention that because I got a concussion from slamming > my head against my desk trying to get it working. > > I don't want to replace the CA cert in IPA, just use the GD cert for HTTPS so > Chrome, et al, won't bark about it. > > I've googled this, but there's so much conflicting info, I'm not sure what's > really good or bad. Seems there are fifteen ways to setup SSL certs, but none > are clear (to me) on what's the correct method for just HTTPS. > > -- > Mark Haney > Network Engineer at NeoNova > 919-460-3330 option 1 > mark.ha...@neonova.net > https://na01.safelinks.protection.outlook.com/?url=www.neonova.net&data=02%7C01%7Chedrick%40rutgers.edu%7Ca20459a6ad244cf2931b08d510c8e976%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636433377463141558&sdata=LPKRKhoAx6vY1ZUkMYEdUQuwA%2F9eKG7fme3x9Tbyi%2FU%3D&reserved=0 > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
