We have being using FreeIPA for years with our corporation wildcard certificate, unfortunately one of our Intermediate CAs expired yesterday May 30 2020 and we are no longer able to login: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
ipa: INFO: 401 Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) [:error] [pid 2041] SSL Library Error: -12269 The server has rejected your certificate as expired
# openssl s_client -showcerts -verify 5 -connect ldap.example.com:443 verify depth is 5 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=10:certificate has expired notAfter=May 30 10:48:38 2020 GMT verify return:1 depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root notAfter=May 30 10:48:38 2020 GMT verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify error:num=10:certificate has expired notAfter=May 30 10:48:38 2020 GMT verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority notAfter=May 30 10:48:38 2020 GMT verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA notAfter=Dec 31 23:59:59 2030 GMT verify return:1 depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.example.com notAfter=Sep 16 23:59:59 2021 GMT verify return:1
This is how I installed my current certificates
# echo "passw0rd" | kinit admin # ipa-cacert-manage -p "passw0rd" -n OLDCA -t C,, install OLDCA.crt # ipa-cacert-manage -p "passw0rd" -n OLD-Intermediate -t C,, install OLD-Intermediate.crt # ipa-certupdate # ipa-server-certinstall -w -d star.example.com.key star.example.com.crt --pin="passw0rd" --dirman-password="passw0rd" # ipa-cacert-manage list EXAMPLE.COM IPA CA OLDCA OLD-Intermediate The ipa-cacert-manage command was successful
What I'm trying to do is replace the expired CA chain by a new chain that I tested and works on a new dev server
When I try to install the new CA and Intermediate it doesn't work, I tried
# echo "passw0rd" | kinit admin # ipa-cacert-manage -p "passw0rd" -n OLDCA -t C,, install NEWCA.crt
Installing CA certificate, please wait Command '/usr/bin/certutil -d dbm:/tmp/tmp5bl9pz -A -n OLDCA -t C,, -a -f /tmp/tmp5bl9pz/pwdfile.txt' returned non-zero exit status 255 The ipa-cacert-manage command failed.
I imaging this is because the OLDCA nickname is already used, then I tried chaging the nickname to NEWCA it seems to work but when I run 'ipa-certupdate' I don't see it in the list of 'ipa-cacert-manage list'
Is this the expected behaviour ? I'm missing something ?
CA chain doesn't get updated
Update CA chain by a new one
ipa-server-4.6.6-11.el7.centos.x86_64 ipa-client-4.6.6-11.el7.centos.x86_64 389-ds-base-1.3.10.1-9.el7_8.x86_64 pki-ca-10.5.17-6.el7.noarch krb5-server-1.15.1-46.el7.x86_64
CentOS Linux release 7.8.2003
Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.
Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting
CentOS 7 has OpenSSL 1.0.2. OpenSSL before 1.1.0 had issues with chain building of alternative chains. Please try my workaround from https://bugzilla.redhat.com/show_bug.cgi?id=1842174
This is how to update the CA certificate: https://serverfault.com/a/1019451/336680
Metadata Update from @alejandrot: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.