#9417 ipa-server-certinstall does not update service entries in LDAP
Opened a year ago by cheimes. Modified a year ago

Issue

ipa-server-certinstall is used to replace the cert and key of LDAP, HTTP, or KDC with an external certificate. By default these service have a certificate issued by Dogtag. When a user replaces the internally issued certificate with an externally issued certificate, the ipa-server-certinstall command replaces the files / updates the NSSDB. However it does not update the LDAP entry for the service or revoke the internal certificate. ipa service-show and the WebUI still show the old certificate, which can lead to some confusion.

Steps to Reproduce

  1. Install IPA server
  2. Replace the HTTPd certificate with ipa-server-certinstall -w ...
  3. Check the LDAP entry with ipa service-show HTTP/$(hostname)

Actual behavior

The command shows the old certificate, not the new certificate. The old certificate is not revoked.

Expected behavior

  • ipa service-show either shows no certificate or the new certificate.
  • The old internal certificate is revoked.

Version/Release/Distribution

ipa-server-4.10.1-7.el9_2.x86_64

Additional info:

The behavior can be observed in the public demo instance. https://ipa.demo1.freeipa.org/ipa/ui/#/e/service/details/HTTP%2Fipa.demo1.freeipa.org%40DEMO1.FREEIPA.ORG shows the internal certificate, not the external cert from Let's Encrypt.


Metadata Update from @rcritten:
- Issue assigned to rcritten

a year ago

Note: if one saves the original IPA cert and key, then replaces them, then wants to re-install them it's fine (we won't prevent it), but the certificates will be revoked so there could be consequences if OCSP/CRL is enforced. To repair this one would run getcert resubmit on the old certs to obtain new ones (assuming OCSP/CRL is not enforced).

Metadata Update from @ftrivino:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6920

a year ago

Log in to comment on this ticket.

Metadata