I haven’t had the chance to try this out. My plan was to spin up a backup of the current server and try these settings there and go from there. The less chance that I’ll need to re-do everything going that route.
On January 28, 2021 at 10:59:15 AM, Rob Crittenden (rcrit...@redhat.com) wrote: Sinh Lam via FreeIPA-users wrote: > Hi Rob - > > The chain should be the same. I’m using a LetsEncrypt certificate and > have previously had it added but I lapsed in renewing it and now when I > attempt to update the cert for LDAP it just complains about the peer > certificate expired. Instead of renewing - I end up regenerating a new > certificate so hopefully I won’t make a bigger mess of things. So you're good then with the new cert? Note that LE *did* recently change their chaining, so be aware of that. rob > > Thanks again. > > Sinh > > > > On January 26, 2021 at 12:02:26 PM, Rob Crittenden (rcrit...@redhat.com > <mailto:rcrit...@redhat.com>) wrote: > >> Sinh Lam via FreeIPA-users wrote: >> > Hi Rob - >> > >> > Do you have any instructions on manually doing this? I asked a similar >> > question a while ago (and excuses aside) but I haven’t responded back >> > with the requested info. The http cert was updated but I can’t seem to >> > get the 389-ds certificate to update as well. >> >> Assuming the new certificate is from the existing private key and the CA >> chaining hasn't changed then all that needs to happen is to install the >> updated certificate. To do so: >> >> # systemctl stop dirsrv.target >> # grep nsSSLPersonalitySSL /etc/dirsrv/slapd-REALM/dse.ldif >> nsSSLPersonalitySSL: SOMETHING >> <make a backup/copy of /etc/dirsrv/slapd-REALM/*.db> >> # certutil -A -d /etc/dirsrv/slapd-REALM -n SOMETHING -t u,u,u -a -i >> /path/to/certificate.pem >> # systemctl start dirsrv.target >> >> Similarly for the Apache cert stop Apache, backup the cert, copy the new >> one, restart. The cert is stored as a PEM in /var/lib/ipa/certs/httpd.crt >> >> Let me stress again that doing this without ensuring that the private >> key and the chaining hasn't changed will only make things worse. >> >> rob >> >> > >> > >> > >> > On January 26, 2021 at 10:17:08 AM, Rob Crittenden via FreeIPA-users >> > (freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> > <mailto:freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org>>) wrote: >> > >> >> Ahmed ElShafaie via FreeIPA-users wrote: >> >> > Florence >> >> > Thank you so much I really appreciated your help. >> >> > I already did that creating a new ticket using "kinit admin" and it accepts the password, But when I apply ipa-certupdate it returns >> >> > "ipa: ERROR: Insufficient access: Invalid credentials" >> >> > >> >> > Even the DM password is correct. >> >> > >> >> > Second, The certificate created almost a month after. is there a solution for that >> >> >> >> Are these renewed certificates from the same issuer using the same >> >> private key? Is the CA chain the same? Is this both the Apache and the >> >> 389-ds certificate? >> >> >> >> If so then it should be fairly straightforward to manually replace the >> >> certificates. >> >> >> >> rob >> >> _______________________________________________ >> >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> >> <mailto:freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org>> >> >> To unsubscribe send an email to >> >> freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> >> <mailto:freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org>> >> >> Fedora Code of Conduct: >> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> >> List Archives: >> >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> >> > >> > _______________________________________________ >> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> >> > >> > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
