【转载】FreeIPA中间CA证书已过期

转载自https://www.kutu66.com//hulianwang/article_188064

问题:

我们有2个FreeIPA服务器在网络中运行,今天我们发现:https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

中间CA已过期,我们无法连接到LDAP。

日志中有以下错误:


ipa: INFO: 401 Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)


[:error] [pid 2041] SSL Library Error: -12269 The server has rejected your certificate as expired


检查CA链时,我们得到:


# openssl s_client -showcerts -verify 5 -connect ldap.example.com:443


verify depth is 5


CONNECTED(00000003)


depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root


verify error:num=10:certificate has expired


notAfter=May 30 10:48:38 2020 GMT


verify return:1


depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root


notAfter=May 30 10:48:38 2020 GMT


verify return:1


depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority


verify error:num=10:certificate has expired


notAfter=May 30 10:48:38 2020 GMT


verify return:1


depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority


notAfter=May 30 10:48:38 2020 GMT


verify return:1


depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA


notAfter=Dec 31 23:59:59 2030 GMT


verify return:1


depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.example.com


notAfter=Sep 16 23:59:59 2021 GMT


verify return:1


我如何删除或更新那些已过期的CA?


答案1:

以下是更新CA的方法

1)我建议在之前完整备份LDAP

2)将日期更改为2020年5月30日之前的日期


date -s"Fri May 29 12:05:19 EDT 2020"


3)在NSS DB中查找旧证书(IPA CA除外)'


$ ipa-cacert-manage list | grep -v 'IPA CA'


OLDCA


OLD-Intermediate-1 


4)从所有NSS DB中删除旧证书


$ cat dblist.txt


/etc/ipa/nssdb 


/etc/pki/pki-tomcat/alias


/etc/httpd/alias


/etc/dirsrv/slapd-EXAMPLE-COM (Replace EXAMPLE-COM with your realm)


/etc/httpd/alias



$ for DB in `cat dblist.txt`; do /usr/bin/certutil -d $DB -D -n OLDCA; done


$ for DB in `cat dblist.txt`; do /usr/bin/certutil -d $DB -D -n OLD-Intermediate-1; done


5)找到基础dn


$ cat /etc/ipa/default.conf | grep basedn


basedn = dc=example,dc=com


6)从LDAP中找到IPA CA以外的旧证书,并从步骤5的基础中替换'dc = example,dc = com '


$ ldapsearch -h localhost -p 389 -D cn=directory manager -W -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=com | grep ^dn: | grep -v 'IPA CA'


dn: cn=OLDCA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com


dn: cn=OLD-Intermediate-1,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com


7)删除IPA CA以外的旧LDAP证书


$ ldapdelete -h localhost -p 389 -D cn=directory manager -W"cn=OLDCA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com"


$ ldapdelete -h localhost -p 389 -D cn=directory manager -W"cn=OLD-Intermediate-1,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com"


8)找到新的可工作的链,在例子中,它是从这里获取:https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates?retURL=/apex/Com_KnowledgeWeb2Casepagesectigo&popup=false


[Download] SHA-2 Root : USERTrust RSA Certification Authority


[Download] Sectigo RSA Domain Validation Secure Server CA [ Intermediate ]


9)安装新的证书


$ echo"passw0rd" | kinit admin



$ ipa-cacert-manage -p"passw0rd" -n NEWCA -t C,, install NEWCA.crt



$ ipa-cacert-manage -p"passw0rd" -n NEW-Intermediate -t C,, install NEW-Intermediate.crt



$ ipa-certupdate



$ ipa-server-certinstall -w -d star.example.com.key star.example.com.crt --pin="passw0rd" --dirman-password="passw0rd" 



$ ipa-cacert-manage list


EXAMPLE.COM IPA CA


NEWCA


NEW-Intermediate


The ipa-cacert-manage command was successful


10 )更新日期并重新启动


答案2:

我修复了这个问题:

抓取更新的证书:https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO

ipa-cacert-manage -p xxxxxxxx -t C,, install SHA-2 Root USERTrust RSA Certification Authority.crt 

 

ipa-cacert-manage -p xxxxxxxx -t C,, install SectigoRSADomainValidationSecureServerCA.crt 

设置你的日期:

date -s "29 may 2020" 

 

kinit admin 

 

ipa-certupdate 
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值