We have 2 FreeIPA servers running in our network, today we found this: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
One of the intermediate CAs that we are using expired and we are no longer able to connect to LDAP.
We have these errors in the logs:
ipa: INFO: 401 Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
[:error] [pid 2041] SSL Library Error: -12269 The server has rejected your certificate as expired
When checking the CA chain this is what we get:
# openssl s_client -showcerts -verify 5 -connect ldap.example.com:443
verify depth is 5
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
notAfter=Dec 31 23:59:59 2030 GMT
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.example.com
notAfter=Sep 16 23:59:59 2021 GMT
verify return:1
Basically everything before May 30 2020 expired
How can I remove or update those expired CAs and Intermediates ?
Best Answer
Here is how to update the CA
1) I recommend a full backup of LDAP before
2) Change the date to something before May 30 2020
3) Find old certs in NSS DB except 'IPA CA'
4) Remove the old certs from all the NSS DBs
5) Find your base dn
6) Find old certs from LDAP except the IPA CA, replace 'dc=example,dc=com' by your basedn from step 5)
7) Remove old LDAP certs except the IPA CA
8) Find the new working chain, in my case it was from here: https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates?retURL=%2Fapex%2FCom_KnowledgeWeb2Casepagesectigo&popup=false
9) Install the new certs
10) Update the date and reboot