We have a freeipa server 4.40, installed on CentOS 7.3.1611 build. We happened a problem, as this - https://pagure.io/freeipa/issue/6342 , when server have 2 CA certificate. First - old CA certificate. He is a uncorrect, and gives an error: The operation with the certificate can not be completed: Unable to communicate with CMS (AttValue: " or ' expected, line 2, column 14). Second a currect certificate. But freeeipa not prescribe a new servers certificate, because of a problem certificate.
the problem was solved by a rollback to the backup, but i want known, how to delete incurrect certificate, without rollback?
It's not clear what the issue was.
If you have two separate CA certificates in play, you can add both to the certificate trust store with ipa-cacert-manage install CERTFILE, then update certificate databases with ipa-certupdate. Then all CA certificates will be trusted.
ipa-cacert-manage install CERTFILE
ipa-certupdate
But I am not really sure what the problem was - your description is not very clear. Would you attach the certificates that were used for analysis?
Hello ftweedal! I did not specifically post the logs, because the problem has already been solved by rollback. As I wrote above, the problem is that the old certificate of the CA for some reason was damaged, but the status of it remained in the system as valid. In the screenshot in the attachment, this is the third certificate with the name "268304389". After, we create a new CA certificate, and tried revoke this a problem certificate. But not this, and not eny other operations with this certificate not pass, brings error about which I wrote above (The operation with the certificate can not be completed: Unable to communicate with CMS (AttValue: " or ' expected, line 2, column 14).), as well as in the attachment (in Russian version customization). we thought that by creating a new CA certificate, the problem would be resolved, but when trying, for example, to get a new client into the system, or to perform replication between the servers, there were errors that pointed to the old certificate therefore the question arises as to how to remove a problem certificate?
@mdpopov well, you would remove the certificate from the cn=certificates,cn=ipa,cn=etc,{basedn} directory in LDAP, and remove it from all of the NSSDBs (certutil -d PATH -D -n NICKNAME).
cn=certificates,cn=ipa,cn=etc,{basedn}
certutil -d PATH -D -n NICKNAME
And you'd need to make sure that all the certs in your infrastructure are valid and chain up to the new CA certificate. But it is hard to say more without a more precise description of what went wrong.
Thx, this is what i need. But, please, specify, what meant "and remove it from all of the NSSDBs". Where exactly do i need to remove it? How can i know from this base i need to remove certificate?
@mdpopov the NSSDBs are:
/etc/pki/pki-tomcat/alias
/etc/httpd/alias
/etc/dirsrv/slapd-REALM-NAME
/etc/ipa/nssdb
Use the certutil(1) command to list and manage certificates in these NSSDBs.
certutil(1)
Thx! To hedge against errors, could you send a set of command sequences that we have to fulfill? Also, please, tell us how to define LDAP directory, and how to remove the problem certificate from there? Could you send a screenshot from the LDAP directory?
@mdpopov you can use standard LDAP commands (e.g. ldapsearch, ldapmodify, ldapvi) to locate and remove the problematic certificate(s). I mentioned the container where CA certificates are put in an earlier comment (https://pagure.io/freeipa/issue/7283#comment-482194).
ldapsearch
ldapmodify
ldapvi
I'm going to close this ticket because it is not really an actionable issue. Please refer further questions to freeipa-users@lists.fedorahosted.org.
Metadata Update from @ftweedal: - Issue close_status updated to: invalid
Login to comment on this ticket.