FreeIPA Intermediate CA Certificate Expired

certificate-authoritycertutilfreeipaopensslssl-certificate

We have 2 FreeIPA servers running in our network, today we found this: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

One of the intermediate CAs that we are using expired and we are no longer able to connect to LDAP.

We have these errors in the logs:

ipa: INFO: 401 Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
[:error] [pid 2041] SSL Library Error: -12269 The server has rejected your certificate as expired

When checking the CA chain this is what we get:

# openssl s_client -showcerts -verify 5 -connect ldap.example.com:443
verify depth is 5
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
notAfter=Dec 31 23:59:59 2030 GMT
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.example.com
notAfter=Sep 16 23:59:59 2021 GMT
verify return:1

Basically everything before May 30 2020 expired

How can I remove or update those expired CAs and Intermediates ?

Best Answer

Here is how to update the CA

1) I recommend a full backup of LDAP before

2) Change the date to something before May 30 2020

date -s "Fri May 29 12:05:19 EDT 2020"

3) Find old certs in NSS DB except 'IPA CA'

$ ipa-cacert-manage  list | grep -v 'IPA CA'
OLDCA
OLD-Intermediate-1

4) Remove the old certs from all the NSS DBs

$ cat dblist.txt
/etc/ipa/nssdb 
/etc/pki/pki-tomcat/alias
/etc/httpd/alias
/etc/dirsrv/slapd-EXAMPLE-COM (Replace EXAMPLE-COM with your realm)
/etc/httpd/alias

$ for DB in `cat dblist.txt`; do /usr/bin/certutil -d $DB -D -n OLDCA; done
$ for DB in `cat dblist.txt`; do /usr/bin/certutil -d $DB -D -n OLD-Intermediate-1; done

5) Find your base dn

$ cat /etc/ipa/default.conf | grep basedn
basedn = dc=example,dc=com

6) Find old certs from LDAP except the IPA CA, replace 'dc=example,dc=com' by your basedn from step 5)

$ ldapsearch -h localhost -p 389 -D cn=directory\ manager -W -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=com | grep ^dn: | grep -v 'IPA CA'
dn: cn=OLDCA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com
dn: cn=OLD-Intermediate-1,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com

7) Remove old LDAP certs except the IPA CA

$ ldapdelete -h localhost -p 389 -D cn=directory\ manager -W "cn=OLDCA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com"
$ ldapdelete -h localhost -p 389 -D cn=directory\ manager -W "cn=OLD-Intermediate-1,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com"

8) Find the new working chain, in my case it was from here: https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates?retURL=%2Fapex%2FCom_KnowledgeWeb2Casepagesectigo&popup=false

[Download] SHA-2 Root : USERTrust RSA Certification Authority
[Download] Sectigo RSA Domain Validation Secure Server CA [ Intermediate ]

9) Install the new certs

$ echo "passw0rd" | kinit admin

$ ipa-cacert-manage -p "passw0rd" -n NEWCA -t C,, install NEWCA.crt

$ ipa-cacert-manage -p "passw0rd" -n NEW-Intermediate -t C,, install NEW-Intermediate.crt

$ ipa-certupdate

$ ipa-server-certinstall -w -d star.example.com.key star.example.com.crt --pin="passw0rd" --dirman-password="passw0rd" 

$ ipa-cacert-manage  list
EXAMPLE.COM IPA CA
NEWCA
NEW-Intermediate
The ipa-cacert-manage command was successful

10) Update the date and reboot

Related Solutions

SSL Error: self signed certificate in certificate chain

You don't need the root certificate in the chain (though I don't believe having it hurts anything).

That error is more of a warning from openssl in this case I think. I believe what it means is just that openssl doesn't know that it should trust the root certificate of that chain. If you pull out just the root certificate from that bundle and point that openssl command at it with the -CAfile argument I expect that "error" should go away.

Inside the sf_bundle.crt file you should see two

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

blocks (possibly with plain text above each block showing what certificate the block contains). If you split each of those blocks into its own file so you end up with block1.crt and block2.crt you should be able to run openssl x509 -noout -subject -in <file.crt> on each of them to get their respective certificate subject lines.

Assuming that block2.crt has a subject line of /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority you should then be able to run openssl s_client -CAfile block2.crt -connect imap.domain.ltd:465 and that should, hopefully, connect without giving you the self-signed certificate error.

Understanding the output of openssl s_client

The answer (as explained in this security.SE post) is that the two GeoTrust Global CA certificate you see in the chain are in fact not the same certificate, one is derived from the other.

Because of CA Cross-signing!

When the GeoTrust Global CA certificate was first created and signed, no computer/browsers/applications would have had it in their trust store.

By having another CA (with a pre-existing reputation and distribution) sign the GeoTrust root CA cert, the resulting certificate (referred to as a "bridge" certificate) can now be verified by the second CA, without the GeoTrust root CA certificate having to be trusted by the client explicitly.

When Google presents the Cross-signed version of the GeoTrust root CA cert, a client that doesn't trust the original can just use the Equifax CA cert to verify GeoTrust - so Equifax acts as a kind of "legacy" trust anchor.

Best Answer

Related Solutions

SSL Error: self signed certificate in certificate chain

Understanding the output of openssl s_client

Because of CA Cross-signing!

Related Topic