How do I manually renew Identity Management (IPA) certificates on RHEL6 after they have expired? (Replica IPA Server)
Environment
- Red Hat Enterprise Linux 6
- Red Hat Identity Management (IPA) v3
Issue
In normal operation it’s expected that renewal of IPA subsystem certificates is working smoothly starting with Red Hat Enterprise Linux 6.4 . Unfortunately in reality there are sometimes issues to renew those certificates and a manual recovery is necessary in case certificates are already expired.
Resolution
DISCLAIMERS AND WARNINGS
This procedure was tested and has been verified to work. However, it is a complicated and potentially error-prone procedure, so please do not hesitate to contact Red Hat Technical Support for assistance if you have any questions or concerns.
This procedure needs to be run on an IPA Replica. Separate instructions for renewing IPA certificates on IPA Master servers can be found here. For RHEL7 instructions, please visit this page.
CAUTION
BE SURE TO CREATE BACKUPS OF THE FOLLOWING DIRECTORIES AND FILES BEFORE BEGINNING.
- /etc/dirsrv/slapd-REALM/*.db
- /etc/httpd/alias
- /var/lib/certmonger
PROCESS
Step 1: Determine when the IPA certificates were last valid
- In order for this to work, you will need to set the system clock back to a date and time when the certificates were all still valid. First, we need to stop the NTP service:
# service ntpd stop
- To find out when the certificates were still valid, run:
# certutil -d /etc/dirsrv/slapd-<DOMAIN>/ -L -n 'Server-Cert' | grep -i 'after'
# certutil -d /etc/httpd/alias/ -L -n 'Server-Cert' | grep -i 'after'
# certutil -d /etc/httpd/alias/ -L -n 'ipaCert' | grep -i 'after'
- This tells us how far to set the system clock back. We recommend setting time back at least 24 hours before expiration of the oldest expired certificate.
IMPORTANT: Do not set the date yet, that step comes a little later.
Step 2: Verify the validity of the 'ipaCert' (RA) certificate
- It is very important that the 'ipaCert' (RA) certificate is valid as it is used by the certmonger service to communicate with the CA. If it is expired, certmonger will not be able to renew the certificates it manages. If the RA certificate is expired, you can export a valid RA certificate from the master IPA server and replace the expired copy on the replica.
[on Master]
- Export the valid RA certificate to ASCII form:
# certutil -d /etc/httpd/alias -L -n 'ipaCert' -a > /tmp/newRAcert.crt
- Copy the newly exported RA certificate to the replica IPA server:
# scp /tmp/newRAcert.crt <IPA replica host>:/tmp
[On Replica]
- Delete the expired RA certfificate:
# certutil -d /etc/httpd/alias -D -n 'ipaCert'
- Import the new RA certficate that was exported from the master IPA server:
# certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i /tmp/newRAcert.crt -t u,u,u
Step 3: Revert the system clock
- Now it's time to set the system clock back to when the certificates were valid with the 'date' command. Again, we recommend setting the clock back at least 24 hours before expiration of the oldest expired certificate. So, for example, if your certificate expired on 10-30-2013 at 10:26, use the following command:
# date 102910262013
Step 4: Renew Directory Server and Apache server certificates
- Next, we need to renew the Directory Server and the Apache server certificates.
# ipa-getcert list
- For each of the two Request IDs, run the following command:
# ipa-getcert resubmit -i [Request ID]
Step 5: Return IPA service to Production
- Restart the world:
# /sbin/service ipa restart
- Restart certmonger:
# /sbin/service certmonger restart
Step 6: Return the system clock to the current time and confirm it is now current
# service ntpd start
# date
Step 7: Verify that the certificates have been renewed
# getcert list
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.