2

The SLL certificate on the LDAP server expired recently, making it impossible to ssh into other Linux machines who relay strictly on LDAP.

Being a self-signed certificate, my understanding is that it cannot be renewed.

Knowing that I need to generate a new certificate, any ideas on how can that certificate be transferred on client machines when no remote authentication is possible because the old SSL is already expired?

Patel95
  • 468
  • 4
  • 7
  • It is *your* duty as the systems administrator to have a fallback to access the systems. Serial console (certificates are short and can be copy&pasted via terminal)? Local accounts (ones not using LDAP auth)? SSH keys? You can always boot the server using a live usb stick and put a new cert file in place. – ptman Jan 24 '13 at 07:43
  • Agreed, however this a level 1 PCI compliant environment, where you have only 2 options for authentication: 1. LDAP. 2. Physical access from single user mode. In my case those servers are in several parts of the country. – Patel95 Jan 25 '13 at 02:04
  • I feel sorry for you. Fortunately I don't (yet) have to deal with anything involving PCI. Are you sure kvm/serial terminal is ruled out? – ptman Jan 25 '13 at 07:53

1 Answers1

3

You can retrieve the certificate on the client with

openssl s_client -CApath /etc/ssl/certs -verify 10 \
    -connect '<host>:<port>' 2>&1 < /dev/zero | \
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
    > foo.pem

foo.pem can then be put in the client's trust store.

I'd suggest using a certificate signed by a CA though, even if it is your own CA (easily managed with TinyCA).

The main advantage is that you can import the CA root certificate and don't have to worry about trusting host certificates anymore.

fuero
  • 9,413
  • 1
  • 35
  • 40