I'm using FreeIPA version 4.5
My 3rd party domain certificate expired. Can I just copy the new crt & key files over the old ones (they have the same file names) and restart ipa?
Or do I need to use the ipa-server-certinstall command to install the new certificate?
The problem I ran into was that I could not start the ipa service because of an expired certificate. To get around this issue I completed the following steps:
Changed the server date to a date prior to the cert expiration date
by executing: date -s "1 FEB 2019 00:00:00"
Started the ipa service by executing: systemctl start ipa
Changed the server date back to the current date by executing: date
-s "17 FEB 2019 11:45:00"
After completing those steps I was then able to execute:
ipa-server-certinstall -p DMPassword -w -d /etc/pki/private/mycert.pem /etc/pki/public/mycert.crt
where the mycert.pem & mycert.crt files are the new key and cert.
Finally I restarted the ipa service by executing: systemctl restart ipa
IPA is now running as expected with the new certificates.
Related
Evening!
I'm wondering if anyone could share the steps for updating the certificates on OpenShift + Kubernetes 4.6? I've checked using the below command and some are expired.
find /etc/kubernetes/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'
I'm not able to find relevant steps to my UPN install. The following certificates are expired as well.
81789506 lrwxrwxrwx. 1 root root 59 Jan 9 00:32 kubelet-server-current.pem -> /var/lib/kubelet/pki/kubelet-server-2021-06-18-20-35-33.pem 81800208 lrwxrwxrwx. 1 root root 59 Jan 9 00:32 kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2021-06-19-13-16-00.pem
Since the API server is offline, I'm not able to renew the certificates via oc commands. All OC commands return an error since the API server ( port 6443 ) is offline. This cluster is installed on VMware using the UPI method. There was a failure sometime back taking the cluster offline. When the cluster was brought back up, the certs were already expired and could not renew since services needed for that were offline I think?
Wondering if anyone managed to recover from this scenario and would be able to help?
Did you check the official doc on that subject?
It may help you
https://docs.openshift.com/container-platform/4.6/backup_and_restore/control_plane_backup_and_restore/disaster_recovery/scenario-3-expired-certs.html
But if you can't login to your cluster, it may be quite difficult...
I have a desktop application created with signed binaries and a code signing certificate that expires in a year, just as a reminder I want to keep checking when the certificate expires. Is there a way I can automate this?
You can run openssl command line utility to print the expiration time of the certificate:
openssl x509 -enddate -noout -in <your certificate file>
The output is something line this:
notAfter=Feb 10 12:05:45 2023 GMT
Then you can create a script that will run periodically and will check this value
I installed a new Puppet Server (Version 6.11) on CentOS 8 to get rid of our old 3.8 Installation on CentOS 6.
After the migration of all of our modules and testing them on a CentOS 7 and 8 Server, I now wanted to add the Puppet Server itself as a node.
While the CentOS 7 and 8 Testserver are running fine, I am not able to get the puppet Server itself running as also a puppet client.
I added it as a node with just one Module and tried to run puppet agent:
[root#puppetmaster /]# puppet agent --test --server puppetmaster.th
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetmaster.th
Info: Certificate Request fingerprint (SHA256): E8:F3:69:50:53:43:32:4F:D8:D1:EF:18:17:98:70:15:3C:3B:B6:A1:6B:CA:0F:F0:A4:C3:EF:FE:3B:C5:3C:01
Error: certificate verify failed [unable to get certificate CRL for CN=puppetmaster.th]
Error: Could not run: certificate verify failed [unable to get certificate CRL for CN=puppetmaster.th]
I tried deleting the Certs in /opt/puppetlabs/puppet/ssl/ as well as in /etc/puppetlabs/puppet/ssl and /etc/puppetlabs/puppet/sslmaster/.
I always get the same result. Looking into puppetserver ca list --all I get a 3 existing Server:
Signed Certificates:
centos7.th (SHA256) A8:EF:33:B6:92:F2:B7:42:DA:F8:B3:B5:67:DD:5A:68:6E:C1:40:97:23:B7:35:7C:A4:36:52:EB:3A:0D:C9:7F
centos8.th (SHA256) 35:CE:E7:7D:44:5B:93:C0:80:44:DB:75:BE:9C:CF:04:81:02:00:D7:49:D7:51:52:47:38:CA:E6:77:1D:01:19
puppetmaster.th (SHA256) 7E:F5:A4:24:47:F6:90:2D:54:BB:D0:A9:5E:EF:B8:61:C9:E9:D4:7F:AE:68:82:7A:6A:C3:13:F9:21:72:3F:3F alt names: ["DNS:puppetmaster.th", "DNS:puppetmaster", "DNS:puppetmaster.th"] authorization extensions: [pp_cli_auth: true]
The 2 Testservers are still running fine (besides I had to of course add them again after deleting all certs).
Now I am a little confused how to add the puppet server itself as a working agent (which does work fine in the old setup).
I have created CSR using openssl and I want it to be signed by the Microsoft CA using command line with template as webServer.
This is the way to generate. Got it! .. On a Microsoft CA server machine issue below command:
"certreq.exe -submit -attrib "CertificateTemplate:WebServer" certifcatesigningrequest.csr "
The below command adds a certificate to trusted root:
certutil.exe -addstore -f "root" "wienticket.cer"
But this seems to add the certificate only for the current user. What changes do I need to make to install it for all users ?