0

We have 2 FreeIPA servers running in our network, today we found this: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

One of the intermediate CAs that we are using expired and we are no longer able to connect to LDAP.

We have these errors in the logs:

ipa: INFO: 401 Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
[:error] [pid 2041] SSL Library Error: -12269 The server has rejected your certificate as expired

When checking the CA chain this is what we get:

# openssl s_client -showcerts -verify 5 -connect ldap.example.com:443
verify depth is 5
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
notAfter=Dec 31 23:59:59 2030 GMT
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.example.com
notAfter=Sep 16 23:59:59 2021 GMT
verify return:1

Basically everything before May 30 2020 expired

How can I remove or update those expired CAs and Intermediates ?

Alejandro T
  • 161
  • 1
  • 4
  • You should check openssl (maybe also using `-servername`) works on the sites there (coming from your own link): http://testsites.test.certificatetest.com/ . If not then you are missing a newer CA trust anchor on the *client* somewhere. If yes, then I'm puzzled but you should retrieve the newer CAs (with a root CA taking over an expired intermediate CA, using same CN) to update the *server*. – A.B May 31 '20 at 01:18
  • Also check this: https://superuser.com/questions/1556491/getting-ssl-certificate-error-on-valid-certificate-when-accessing-via-curl/1556497#1556497 – A.B May 31 '20 at 02:44

2 Answers2

0

I was able to fix this issue:

Grab the updated cert: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO

ipa-cacert-manage -p xxxxxxxx -t C,, install SHA-2\ Root\ \ USERTrust\ RSA\ Certification\ Authority.crt

ipa-cacert-manage -p xxxxxxxx -t C,, install SectigoRSADomainValidationSecureServerCA.crt

set your date back:

date -s "29 MAY 2020"

kinit admin

ipa-certupdate

Nathan Stratton
  • 1
  • 1
0

Here is how to update the CA

1) I recommend a full backup of LDAP before

2) Change the date to something before May 30 2020 

date -s "Fri May 29 12:05:19 EDT 2020"

3) Find old certs in NSS DB except 'IPA CA'

$ ipa-cacert-manage  list | grep -v 'IPA CA'
OLDCA
OLD-Intermediate-1

4) Remove the old certs from all the NSS DBs

$ cat dblist.txt
/etc/ipa/nssdb 
/etc/pki/pki-tomcat/alias
/etc/httpd/alias
/etc/dirsrv/slapd-EXAMPLE-COM (Replace EXAMPLE-COM with your realm)
/etc/httpd/alias

$ for DB in `cat dblist.txt`; do /usr/bin/certutil -d $DB -D -n OLDCA; done
$ for DB in `cat dblist.txt`; do /usr/bin/certutil -d $DB -D -n OLD-Intermediate-1; done

5) Find your base dn

$ cat /etc/ipa/default.conf | grep basedn
basedn = dc=example,dc=com

6) Find old certs from LDAP except the IPA CA, replace 'dc=example,dc=com' by your basedn from step 5)

$ ldapsearch -h localhost -p 389 -D cn=directory\ manager -W -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=com | grep ^dn: | grep -v 'IPA CA'
dn: cn=OLDCA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com
dn: cn=OLD-Intermediate-1,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com

7) Remove old LDAP certs except the IPA CA

$ ldapdelete -h localhost -p 389 -D cn=directory\ manager -W "cn=OLDCA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com"
$ ldapdelete -h localhost -p 389 -D cn=directory\ manager -W "cn=OLD-Intermediate-1,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com"

8) Find the new working chain, in my case it was from here: https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates?retURL=%2Fapex%2FCom_KnowledgeWeb2Casepagesectigo&popup=false

[Download] SHA-2 Root : USERTrust RSA Certification Authority
[Download] Sectigo RSA Domain Validation Secure Server CA [ Intermediate ]

9) Install the new certs 

$ echo "passw0rd" | kinit admin

$ ipa-cacert-manage -p "passw0rd" -n NEWCA -t C,, install NEWCA.crt

$ ipa-cacert-manage -p "passw0rd" -n NEW-Intermediate -t C,, install NEW-Intermediate.crt

$ ipa-certupdate

$ ipa-server-certinstall -w -d star.example.com.key star.example.com.crt --pin="passw0rd" --dirman-password="passw0rd" 

$ ipa-cacert-manage  list
EXAMPLE.COM IPA CA
NEWCA
NEW-Intermediate
The ipa-cacert-manage command was successful

10) Update the date and reboot

Alejandro T
  • 161
  • 1
  • 4