John Doe via FreeIPA-users wrote: > Thank you so much for your support. Your comments set me on the right > track. Namely that the problem wasn't on the IPA > side but on the Windows side. The name of the template is 'SubCA' and > with the following command, I was able to get the > CSR signed; > certreq -submit -attrib CertificateTemplate:SubCA > > I could then get the cert installed into the IPA using; > sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer > --external-cert-file=./Root-CA.cer
This updates the CA itself with its new certificate but it doesn't update the CA trust on the server nor any clients. You have to run ipa-certupdate everywhere to do that. Of course it requires TLS to run so you're in a bit of pickle because all the other certs are also expired. > The main problem here is that the CA certificate expired before I > renewed it. That's by intent as I wanna try out the steps > needed to remedy a situation as that as well as what to do when you > renew the cert before it expires. It depends. When a CA expires so does all of the certificates it issued (or they should). So literally no certs are valid. You'd have to re-issue the world. Which is hard because your CA won't start because all but its own certificate is expired. > Although it looks like the renewed cert has gotten installed, I'm still > not able to login using the GUI; > > [jdoe@lab002 ~]$ ipa find user > ipa: ERROR: cannot connect to 'https://lab002.labnet.org/ipa/json': > [SSL: CERTIFICATE_VERIFY_FAILED > ] certificate verify failed: certificate has expired (_ssl.c:1129) > [jdoe@lab002 ~]$ > > I tried running the following, it was successful, but the problem still > persists; > [jdoe@lab002 ~]$ sudo ipa-cert-fix > The ipa-cert-fix command was successful > [jdoe@lab002 ~]$ > [jdoe@lab002 ~]$ sudo ipa-getcert list|egrep "status|subject|expires|stuck" > status: CA_UNREACHABLE > stuck: no > subject: CN=lab002.labnet.org > <http://lab002.labnet.org>,O=IPA.LABNET.ORG <http://IPA.LABNET.ORG> > expires: 2023-10-20 08:12:29 CEST > status: CA_UNREACHABLE > stuck: no > subject: CN=lab002.labnet.org > <http://lab002.labnet.org>,O=IPA.LABNET.ORG <http://IPA.LABNET.ORG> > expires: 2023-10-20 08:12:29 CEST > status: CA_UNREACHABLE > stuck: no > subject: CN=lab002.labnet.org > <http://lab002.labnet.org>,O=IPA.LABNET.ORG <http://IPA.LABNET.ORG> > expires: 2023-10-20 08:12:29 CEST > [jdoe@lab002 ~]$ Can I ask why it's October? I assume you're twiddling with time? > > What am I missing or doing wrong? Don't let things expire and you'll avoid a whole ton of headache. IPA/certmonger will not warn you of impending doom of expired certificates (beyond perhaps log messages). ipa-healthcheck will to some degree if you run it an examine the results. rob > > > Den mån 4 sep. 2023 kl 08:27 skrev Alexander Bokovoy > <[email protected] <mailto:[email protected]>>: > > On Няд, 03 вер 2023, John Doe via FreeIPA-users wrote: > >I'm currently trying to evaluate if we may use IPA server to help > manage our park of Linux Clients > >When installing the IPA server I used the following commands; > >sudo ipa-server-install --external-ca --external-ca-type=ms-cs > >sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer > --external-cert-file=/home/$USER/certnew.cer > > > >Now when the CA certificate in Windows expired, I used Certificate > Authority Manager to renew the CA certificate. > >I'm now struggling trying to figure out how to renew the IPA > certificate. This is what I've tried; > >sudo ipa-cacert-manage --external-ca --external-ca-type ms-cs renew > > > >On the Windows server I'm forced to use the certreq command in CLI > as the GUI Manager only complains of the CSR being the wrong type. > >And I'm only having success in using the WebServer template. No > other templates works. And I'm assuming the > SubordinateCertificationAuthority template is the > >that should be used?; > >certreq -submit -attrib CertificateTemplate:WebServer > > You want to deploy a CA, not a web server, so you should be using the > right subCA template. > > Section 7.1 of RHEL IdM documentation for installing IdM tells about it: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/assembly_installing-an-ipa-server-without-dns-with-external-ca_installing-identity-management > > ------- > In certain scenarios, the Active Directory (AD) administrator can use > the Subordinate Certification Authority (SCA) template, which is a > built-in template in AD CS, to create a unique template to better suit > the needs of the organization. The new template can, for example, have a > customized validity period and customized extensions. The associated > Object Identifier (OID) can be found in the AD Certificates Template > console. > > If the AD administrator has disabled the original, built-in template, > you must specify the OID or name of the new template when requesting a > certificate for your IdM CA. Ask your AD administrator to provide you > with the name or OID of the new template. > > If the original SCA AD CS template is still enabled, you can use it by > specifying --external-ca-type=ms-cs without additionally using the > --external-ca-profile option. In this case, the subCA external CA > profile is used, which is the default IdM template corresponding to the > SCA AD CS template. > ------- > > So most likely your SCA AD CS template got disabled by the admin? > > > > > >Back on the IPA server, I try installing the signed certificate; > >sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer > --external-cert-file=./Root-CA.cer > > > >But this only complains on the cert missing som basic constraints. > >Comparing the CSR generated during the install of the IPA server > and the CSR generated with the ipa-cacert-manage renew command, > >I see that they differ in that the renew CSR is missing the .S.u.b.C.A > > > >Does anyone have any insights into what's missing in the procedure? > > Check configuration of your AD CS setup, may be built-in template for > subCA is disabled and not available anymore. > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
