Page 1 of 1

FreeIPA: replacing expired SSL certs (like "AddTrust External CA Root")

Posted: 2020/06/07 04:28:15
by jbsysadmin
Greetings. Like many, I had to track down and remove certs that expired on May 30. I inherited a freeIPA cluster of 3 machines, and have been working on the first. But I am still having problems obtaining and applying replacement certs. Here is the situation:

* In March 2019, a senior engineer applied a chain of certs. He was transitioning from self-signed certs to valid external certs. This included a CAroot and two intermediates.

* On May 30, the CAroot and one intemediate expired. He seemed to have approached a vendor directly for those, but that vendor would not confirm because I am not on their contact list. I had to seek replacements from a school department. (They do not provide support for end-uses like freeIPA.)

* This week, I have been trying to find and remove the expired SSL certs from the first of the freeIPA systems.I believe I removed them all.

* I have been trying to install certs provided by that department. During the time the expired certs were lingering in some places, I was able to run ipa-certupdate after a "ipa-cacert-manage install" attempt. However, after my removal of expired items, I get error "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)"

* The three items provided by the other department don't seem to work. I had taken the steps below.
- Since I'm using freeIPA, and prior instructions denoted .crt, I convert each with:
openssl x509 -inform PEM -in <certname>.cer -out <certname>.crt

- I had tried to use each option separately: 1) "Certificate only, PEM encoded", 2) "Root/Intermediate(s) only, PEM encoded", and 3) "Intermediate(s)/Root only, PEM encoded" Results were:
            ipa-cacert-manage install succeeded against #2
            ipa-cacert-manage install failed against #3 "Peer's Certificate issuer is not recognized."
            ipa-server-certinstall failed against #1, "The full certificate chain is not present in <freeipa_server>.crt, <freeipa_server>.crt.key"

- I then tried to substitute another option later in email, "Certificate (w/ chain), PEM encoded." Result was:
ipa-server-certinstall failed, "No matching certificate found for private key from <freeipa_server>.crt.key"

Did I misinterpret the use of what was provided? Where should I be checking to troubleshoot this?