我们的网络中运行着 2 个 FreeIPA 服务器,今天我们发现了这一点:https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
我们正在使用的中间 CA 之一已过期,我们无法再连接到 LDAP。
我们在日志中发现以下错误:
ipa: INFO: 401 Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
[:error] [pid 2041] SSL Library Error: -12269 The server has rejected your certificate as expired
检查 CA 链时,我们得到以下结果:
# openssl s_client -showcerts -verify 5 -connect ldap.example.com:443
verify depth is 5
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
notAfter=Dec 31 23:59:59 2030 GMT
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.example.com
notAfter=Sep 16 23:59:59 2021 GMT
verify return:1
2020 年 5 月 30 日之前的所有商品基本上都已过期
我如何删除或更新那些过期的 CA 和中间件?
答案1
以下是更新 CA 的方法
1)我建议在之前对 LDAP 进行完整备份
2)将日期更改为2020年5月30日之前
date -s "Fri May 29 12:05:19 EDT 2020"
3)在 NSS DB 中查找除“IPA CA”之外的旧证书
$ ipa-cacert-manage list | grep -v 'IPA CA'
OLDCA
OLD-Intermediate-1
4) 从所有 NSS DB 中删除旧证书
$ cat dblist.txt
/etc/ipa/nssdb
/etc/pki/pki-tomcat/alias
/etc/httpd/alias
/etc/dirsrv/slapd-EXAMPLE-COM (Replace EXAMPLE-COM with your realm)
/etc/httpd/alias
$ for DB in `cat dblist.txt`; do /usr/bin/certutil -d $DB -D -n OLDCA; done
$ for DB in `cat dblist.txt`; do /usr/bin/certutil -d $DB -D -n OLD-Intermediate-1; done
5)找到你的基础 DN
$ cat /etc/ipa/default.conf | grep basedn
basedn = dc=example,dc=com
6) 从 LDAP 中查找除 IPA CA 之外的旧证书,将“dc=example,dc=com”替换为步骤 5 中的 basedn
$ ldapsearch -h localhost -p 389 -D cn=directory\ manager -W -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=com | grep ^dn: | grep -v 'IPA CA'
dn: cn=OLDCA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com
dn: cn=OLD-Intermediate-1,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com
7)删除 IPA CA 以外的旧 LDAP 证书
$ ldapdelete -h localhost -p 389 -D cn=directory\ manager -W "cn=OLDCA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com"
$ ldapdelete -h localhost -p 389 -D cn=directory\ manager -W "cn=OLD-Intermediate-1,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com"
8)找到新的工作链,就我而言,它来自这里:https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates?retURL=%2Fapex%2FCom_KnowledgeWeb2Casepagesectigo&popup=false
[Download] SHA-2 Root : USERTrust RSA Certification Authority
[Download] Sectigo RSA Domain Validation Secure Server CA [ Intermediate ]
9)安装新证书
$ echo "passw0rd" | kinit admin
$ ipa-cacert-manage -p "passw0rd" -n NEWCA -t C,, install NEWCA.crt
$ ipa-cacert-manage -p "passw0rd" -n NEW-Intermediate -t C,, install NEW-Intermediate.crt
$ ipa-certupdate
$ ipa-server-certinstall -w -d star.example.com.key star.example.com.crt --pin="passw0rd" --dirman-password="passw0rd"
$ ipa-cacert-manage list
EXAMPLE.COM IPA CA
NEWCA
NEW-Intermediate
The ipa-cacert-manage command was successful
10)更新日期并重启
答案2
我可以修复这个问题:
获取更新的证书:https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO
ipa-cacert-manage -p xxxxxxxx -t C,, 安装 SHA-2\ Root\ \ USERTrust\ RSA\ Certification\ Authority.crt
ipa-cacert-manage -p xxxxxxxx -t C,, 安装 SectigoRSADomainValidationSecureServerCA.crt
将您的日期推迟:
日期 -s“2020 年 5 月 29 日”
kinit 管理员
ipa-证书更新