-
Story
-
Resolution: Done
-
Normal
-
None
-
rhel-8.10, rhel-10.0, rhel-9.6
-
None
-
rhel-sst-ccs
-
13
-
False
-
False
-
-
None
-
Red Hat Enterprise Linux
-
CCS 2025-15, CCS 2025-16, CCS 2025-17, CCS 2025-18, CCS 2025-19
-
None
-
Unspecified
-
Unspecified
-
Unspecified
Document link:
Section number and name: multiple, basically every time `ipa-certupdate` or `ipa-cacert-manage` is used
Describe the issue: `ipa-certupdate` or `ipa-cacert-manage` will fail, if the CA certificates and/or LDAP certificates are expired, or system can't validate them.
Impact of this issue: All the instructions in the docs will fail in this scenario
Suggestions for improvement: Create a new section on what to do if you have all the certificates expired, then add to all the `ipa-certupdate` and `ipa-cacert-manage` instances link to this situation "if certificates are expired, do:...":
In situation of self-signed CA: on renewal master, we should run `ipa-cert-fix`, then `ipa-certupdate`, then on all other servers we need to get new CA into /etc/ipa/ca.crt chain, temporarily change /etc/ipa/default.conf to point to renewal master, and run `ipa-certupdate`, then on all the clients run `ipa-certupdate`.
In situation of externally signed CA: on renewal master they can re-use existing request file (should be both in the certmonger tracking request and in CA's CS.cfg) to get new CA cert signed;
if they need to add new CA certs to the chain - then add them to /etc/ipa/ca.crt, including newly signed IPA's CA; and also add them all file by file to the LDAP nssdb :
~~~
certutil -A -d /etc/dirsrv/slapd-INSTANCE -t CT,C,C -i /path/to/ca.pem -f /etc/dirsrv/slapd-INSTANCE/pwdfile.txt
~~~
THEN do what's described https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/managing_certificates_in_idm/index#renew-with-externally-signed-CA_managing-externally-signed-ca-certificates pp 4+
Then on other replicas same as self-signed CA case, then on all clients run `ipa-certupdate`.
