FreeIPA certificate renews problem

May 19, 2022 · 1 min read · freeipa ldap  ·
Share on:

近期 FreeIPA SSL 憑證過期了,這邊憑證是自動跟 Let's Encrypt 重新申請,過期了代表出現異常。在這邊紀錄處理過程。

憑證過期了想說重新申請

更新憑證前先把中間憑證裝起來,但在做 ipa-certupdate 時發生錯誤。 跟我說 certificate verify failed,這邊沒有講失敗的原因,我猜測是前端 https 憑證過期了,所以先手動更換 httpd 的憑證。

1[root@ldap script]# ipa-certupdate -v
2・・・・・
3ipapython.admintool: DEBUG: The ipa-certupdate command failed, exception: NetworkError: cannot connect to 'https://ldap.example.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
4ipapython.admintool: ERROR: cannot connect to 'https://ldap.example.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
5ipapython.admintool: ERROR: The ipa-certupdate command failed.

手動更換 httpd 的憑證

先去跟 Let's Encrypt 重新申請憑證(使用 dns 認證方式),然後將憑證換上並重啟。

 1[root@ldap script]# printf "\n\n"|ipa-server-certinstall -w -d /etc/letsencrypt/live/${IPA_SERVER_HOSTNAME}/privkey.pem /etc/letsencrypt/live/${IPA_SERVER_HOSTNAME}/cert.pem
 2Directory Manager password:
 3Enter private key unlock password:
 4Please restart ipa services after installing certificate (ipactl restart)
 5The ipa-server-certinstall command was successful
 6[root@ldap script]# restorecon -v /var/lib/ipa/certs/httpd.crt
 7[root@ldap script]# ipactl restart
 8ipa: INFO: The ipactl command was successful
 9[root@ldap script]# ipactl status
10ipa: INFO: The ipactl command was successful

錯誤 gost_yescrypt_pwd_storage_scheme_init

Directory Service 啟動失敗

1[root@ldap:/opt/freeipa/build]# docker exec -it ldap.example.com systemctl status dirsrv@HEARTS-TW.service
2ERR - symload_report_error - Netscape Portable Runtime error-5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init

1# seems like a "fix"
2[root@ldap:/opt/freeipa/build]# docker exec -it ldap.example.com dnf downgrade 389-ds-base*

錯誤 更新異常

由於啟動會執行 ipa-server-upgrade 出錯後,資料就毀損了,所以先停止啟動自動更新。

FreeIPA 的 docker image 中,Entrypoint 是設置 /usr/local/sbin/init。 將檔案複製出來並將下面改寫,重啟並使用改寫後的 Entrypoint 檔案。

移除 exec 中的 $SYSTEMD_OPTS 參數。

1[root@ldap /]# cat /usr/local/sbin/init | grep SYSTEMD_OPTS
2                SYSTEMD_OPTS=--unit=ipa-server-upgrade.service
3exec /usr/sbin/init --show-status=false $SYSTEMD_OPTS

操作時查到的指令,確認憑證清單

1getcert list | egrep '^Request|status:|subject:'
2certutil -L -d /etc/pki/pki-tomcat/alias
3certutil -L -d /etc/ipa/nssdb
comments powered by Disqus