search

antevens / letsencrypt-freeipa

Scripts to automate installation, configuration and renewal of LetsEncrypt certificates on FreeIPA Servers.
MIT License
59 stars 17 forks source link

Instructions on how to revert back to the initial cert #18

Closed yougotborked closed 4 years ago

yougotborked commented 4 years ago

Hi, my renewal failed for some reason, and as such I am unable to get a new certificate because ipa dnsrecord-mod fails due to SSL checks preventing ipa dnsrecord-mod from working

Running manual-auth-hook command: ipa dnsrecord-mod ${CERTBOT_DOMAIN#*.}. _acme-challenge.${CERTBOT_DOMAIN}. --txt-rec=${CERTBOT_VALIDATION}
manual-auth-hook command "ipa dnsrecord-mod ${CERTBOT_DOMAIN#*.}. _acme-challenge.${CERTBOT_DOMAIN}. --txt-rec=${CERTBOT_VALIDATION}" returned error code 2
Error output from manual-auth-hook command ipa:
ipa: ERROR: lab.my.domain.: DNS zone not found

I'm able to manually change the date on the system and once I do that, I'm able to interact/change settings and restart and log into IPA. ipa dnszone-find works once I change the date

running the renewal script though fails in certbot, I'm assuming because of the changed date with it's own SSL-related checking.

An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 157, in _new_conn
    (self._dns_host, self.port), self.timeout, **extra_kw
  File "/usr/lib/python3.7/site-packages/urllib3/util/connection.py", line 61, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/lib64/python3.7/socket.py", line 752, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 672, in urlopen
    chunked=chunked,
  File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 334, in connect
    conn = self._new_conn()
  File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 169, in _new_conn
    self, "Failed to establish a new connection: %s" % e
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f1072d2fb90>: Failed to establish a new connection: [Errno -2] Name or service not known

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 720, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/lib/python3.7/site-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object
 at 0x7f1072d2fb90>: Failed to establish a new connection: [Errno -2] Name or service not known'))

During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection obj
ect at 0x7f1072d2fb90>: Failed to establish a new connection: [Errno -2] Name or service not known'))
Please see the logfiles in /var/log/letsencrypt for more details.

is there a general instruction on how to revert back to the original self-signed cert? uninstalling this mod? I think I need to run these commands, but I'm not sure which certificate to use https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

antevens commented 4 years ago

I don't have any specific instructions for reverting back to the self signed certs but as you discovered the topic is documented by the FreeIPA team and you should be able to use their instructions to revert.

As far as which certificate to use you can just re-create it since it's a self signed cert, I also believe the old cert and CA should be in the dogtag CA on the system.

If you have updated the DNS records with the new challenge you should also be able to manually update the cert going step by step through the commands the script does.

yougotborked commented 4 years ago

Thanks I thought the same thing, and was able to get it going,

For anyone one else who may run into this

  1. comment out/remove the -quiet -manual-auth-hook -noninteractive arguments within the renewal shell script
  2. run the renewal shell script
  3. It should pause, waiting for you to manually update the txt record.
  4. Stop chronyd and change your system date to be within the expiration date of the expired letsencrypt cert
  5. ipactl restart
  6. on the machine in question and all replicas manually update the txt record using the paused certbot output
  7. confirm via an external service (I used https://mxtoolbox.com/TXTLookup.aspx) that the txt record is updated
  8. continue the certbot process
  9. ipa-server-certinstall may still fail. If so, run it manually with the arguments provided by the certbot output.
  10. restart chronyd
  11. ipactl restart