Jesse Prentiss via FreeIPA-users wrote:
> Hello!
>
> We are running VERSION: 4.11.1, API_VERSION: 2.253 - We had an issue where
> our mutlidomain cert (sectigo/comodo) did not renew. It expired 1/19/2025,
> the new one wasn't issued until 1/26/2025.
>
> If I disable ntp and set the system time to before the old cert expired, I
> regain access to commands like ipa user-show etc. I can kinit as users, and
> if i ignore the bad cert in web browser I can log in to the WebUI.
>
> I was able to successfully run
> sudo ipa-server-certinstall -d {key} {cert}
>
> Which I guess worked because the directory manager certs weren't due to
> expire until 2026? But I can not run
>
> sudo ipa-server-certinstall -w {key} {cert}
>
> This fails because the new cert is 'not valid before' the fake time. But if
> I set it back to the proper time it fails because the old cert has expired.
>
> And I'm not certain that I'm linking the correct cert file in trying the -k
> option.
>
> I'd seen forums mention --force as an option for ipa-server-certinstall, but
> it does not appear to be an available option. Is that because our version is
> older? Is there any way to emulate this option? I feel like there must be
> some way to tell ipa that we don't care that the old cert is expired (or just
> delete it), but I can't see any way to do so.
>
> Not sure if related but our ipactl status shows that all services except
> pki-tomcatd are running
>
> Any suggestions would be amazing!
User-provided certificates are not renewed by IPA.
There is no force option for ipa-server-certinstall.
I don't know what form your certificate came in but if you unpack it
into separate files, like CA chain, certificate and private key, then
you can manually replace the existing Apache certificate and key pretty
easily. Backups recommended.
Looking in ssl.conf we can see the cert and key locations.
SSLCertificateFile /var/lib/ipa/certs/httpd.crt
SSLCertificateKeyFile /var/lib/ipa/private/httpd.key
So make a copy of those and then copy over the files from your replacement.
Both files should be root:root and mode 0600. If you have SELinux
enabled, and you should, run restorecon on both files.
If you have a PIN set on the private key it will be set in
/var/lib/ipa/passwds/ipa.example.test-443-RSA where ipa.example.test is
the name of your host. Update that if needed (and save a copy of course).
That should allow your Apache to start in present day.
Then you can run ipa-server-certinstall again to re-replace the files
and do the other things that the tool does.
rob
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
