Hi, I hope I got everything right: on client.qc.lrtech.ca <[email protected]> you have configured apache, and it should be using a certificate delivered by IPA and monitored by certmonger.
Certmonger is monitoring the cert 'Server-Cert' that is stored in the NSS database */etc/httpd/nssdb*. From your description, it looks like the DB contains the cert that you expect (recently renewed). When clients connect to your apache server, they see that it's using an old cert. You mention* /etc/httpd/alias/* NSS database. So how is apache configured? If apache is using mod_nss, the configuration is usually stored in /etc/httpd/conf.d/nss.conf and contains NSSNickname='Server-Cert' NSSCertificateDatabase ... You need to ensure that NSSCertificateDatabase contains the right path, */etc/httpd/nssdb*. flo On Thu, Mar 17, 2022 at 2:40 PM Eric Boisvert via FreeIPA-users < [email protected]> wrote: > Good morning, > > > if you run "ipa-cacert-manage install -t CT,C,C /path/to/newrootca.pem", > > the new root CA will be loaded in the LDAP server with the right trust > > flags. Then "ipa-certupdate" will download it from the LDAP server and > put > > it into all the relevant NSS databases / files with the right trust > flags. > > I tried to run ipa-cacert-manage install -t CT,C,C /path/to/newrootca.pem > but I got: > Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's > certificate issuer has been marked as not trusted by the user. > > I don't have any pem file. I use the crt is it ok? > > > > There is no real need to remove the old CA certs, even if they expired. > But > > if you really want to clean up things, you need to remove them from the > > LDAP server. They are located in cn=certificates,cn=ipa,cn=etc,$BASEDN > and > > you will need to find the right LDAP entry/entries and delete them with > > ldapdelete. > > The certificates that I'm trying to remove are not old one but new ones > that I didn't create correctly. > > One was from march 4th and is not overlapping the old one > One was from march 1st but with wrong extensions > > I tried to use ldapsearch but I need more time to fully understand how it > work since it's the first time I'm using it. > > > > Which "old certificate" are you referring to? Are you accessing IPA at > > https://<hostname>/ipa/ui or accessing a service deployed on your client > > and protected by the client certificate? > > I'm accessing a service on my client. I was able to renew is certificates > but he's still showing me the old certificates chain in firefox and chrome. > At least the LDAP is working since we can now connect users to the service. > > See getcert list output on my client below: > > > # getcert list > > Number of certificates and requests being tracked: 1. > > Request ID '20211130131728': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/nssdb/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=client.qc.lrtech.ca,O=QC.LRTECH.CA > > expires: 2024-03-16 13:17:47 UTC > > dns: client.qc.lrtech.ca > > principal name: HTTP/[email protected] > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > See # certutil -L -d /etc/httpd/nssdb/ output below (Bad root and ipa > certificates, but good server-cert): > Should I add my new root and ipa certificate manually? > > > Certificate Nickname Trust Attributes > > > SSL,S/MIME,JAR/XPI > > > > LR Tech ROOT CA CT,C,C > > QC.LRTECH.CA IPA CA CT,C,C > > Server-Cert u,u,u > > See # certutil -L -d /etc/httpd/alias/ output below (Old server-cert from > 2021 and example certificates): > > > Certificate Nickname Trust Attributes > > > SSL,S/MIME,JAR/XPI > > > > cacert CTu,Cu,Cu > > beta u,pu,u > > alpha u,pu,u > > Server-Cert u,u,u > > See # certutil -L -d /etc/ipa/nssdb/ output below (2 New and 2 old > certificates everything is ok but done manually): > > > Certificate Nickname Trust Attributes > > > SSL,S/MIME,JAR/XPI > > > > [email protected],CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > > QC.LRTECH.CA IPA CA CT,C,C > > QC.LRTECH.CA IPA CA CT,C,C > > [email protected],CN=LR Tech inc. ROOT CA 2022,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > > /etc/pki/nssdb is empty > No /etc/dirsrv/SLAPD-XX/ > > > Eric > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
