search

stormshift / support

This repo should serve as a central source for reporting issues with stormshift
GNU General Public License v3.0
3 stars 0 forks source link

Install Red Hat Certificates to IPA servers inf1/inf31 #155

Closed rbo closed 7 months ago

rbo commented 7 months ago

Problem with IPA directory manager password.

[root@inf1 cert]# ipa-server-certinstall -w wildcard-coe.enc.key wildcard-coe.chain.cert 
Directory Manager password: 

Enter private key unlock password: 

Insufficient access:  Invalid credentials
The ipa-server-certinstall command failed.

Tried numerous passwords via: [root@inf1 cert]# ldapsearch -x uid=rbohne -D 'cn=Directory Manager -W

Find the right one... Document in bitwarden.

rbo commented 7 months ago

Certificates stored here: https://gitlab.consulting.redhat.com/coe-lab/certificates

rbo commented 7 months ago 
[root@inf1 cert]# ipa-server-certinstall  -w wildcard-coe.enc.key wildcard-coe.full-chain.cert 
Directory Manager password: 

Enter private key unlock password: 

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
[root@inf1 cert]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@inf1 cert]#
rbo commented 7 months ago

Problem: Webserver don't deliver intermediate certificate.

rbo commented 7 months ago

Install Red Hat Root & Intermediate:

[root@inf1 cert]# ipa-cacert-manage install root.cert 
Installing CA certificate, please wait
Verified E=infosec@redhat.com,CN=Internal Root CA,OU=Red Hat IT,O=Red Hat\, Inc.,L=Raleigh,ST=North Carolina,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@inf1 cert]# ipa-cacert-manage install intermediate.cert 
Installing CA certificate, please wait
Verified CN=2023 Certificate Authority RHCSv2,OU=prod,O=Red Hat
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@inf1 cert]# ipa-cacert-manage list
COE.MUC.REDHAT.COM IPA CA
E=infosec@redhat.com,CN=Internal Root CA,OU=Red Hat IT,O=Red Hat\, Inc.,L=Raleigh,ST=North Carolina,C=US
CN=2023 Certificate Authority RHCSv2,OU=prod,O=Red Hat
The ipa-cacert-manage command was successful
[root@inf1 cert]# ipa-certupdate
Connection to https://inf1.coe.muc.redhat.com/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
Systemwide CA database updated.
The ipa-certupdate command was successful
[root@inf1 cert]#
rbo commented 7 months ago

Replication to inf31 works for cacert as well:

[root@inf31 ~]# ipa-cacert-manage list
COE.MUC.REDHAT.COM IPA CA
E=infosec@redhat.com,CN=Internal Root CA,OU=Red Hat IT,O=Red Hat\, Inc.,L=Raleigh,ST=North Carolina,C=US
CN=2023 Certificate Authority RHCSv2,OU=prod,O=Red Hat
The ipa-cacert-manage command was successful
rbo commented 7 months ago

Take sure:

[root@inf31 ~]#  ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
[root@inf31 ~]#
rbo commented 7 months ago 
[root@inf31 cert]# ipa-server-certinstall  -w wildcard-coe.enc.key wildcard-coe.chain.cert
Directory Manager password: 

Enter private key unlock password: 

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
[root@inf31 cert]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@inf31 cert]#

Replication tested as well. DONE!