Bug 1696849 - Support LDAPI and LDAPS for cert-fix tool
Summary: Support LDAPI and LDAPS for cert-fix tool
Status: POST
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.1
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: 8.1
Assignee: Fraser Tweedale
QA Contact: PKI QE
URL:
Whiteboard:
Keywords: TestCaseProvided
Depends On: 1468348
Blocks: 1644708 1669257 1690191 1472344 1550132 1647919
TreeView+ depends on / blocked
 
Reported: 2019-04-05 18:09 UTC by Dinesh Prasanth
Modified: 2019-05-17 19:47 UTC (History)
19 users (show)

(edit)
The Offline Cert Renewal tool now supports both LDAPI (IPA specific environment) and LDAPS (PKI standalone environment)


Ref: https://github.com/dogtagpki/pki/blob/master/docs/admin/Offline_System_Certificate_Renewal.md
Clone Of: 1468348
(edit)
Last Closed:


Attachments (Terms of Use)

Comment 3 Dinesh Prasanth 2019-04-30 22:34:20 UTC
The changes have been merged via PRs: 

https://github.com/dogtagpki/pki/pull/182
https://github.com/dogtagpki/pki/pull/199

Document is merged via PR:
https://github.com/dogtagpki/pki/pull/197

Comment 4 Dinesh Prasanth 2019-04-30 22:41:31 UTC
Verification Steps:
===================

There are 3 different scenarios to be tested. I'll add them as separate comments

Scenario 1 (IPA Specific environment -- Uses LDAPI):
---------------------------------------------------

# Setting up a fake env:

1. Do a basic `ipa-server-install`
2. Verify `pki -U https://<localhost>:8443 ca-cert-find` works
3. timedatectl set-ntp false && timedatectl set-time <set time to beyond cert expirty date>
4. ipactl restart # some error OR should be stuck when trying to restart PKI server

# Procedure:

https://github.com/dogtagpki/pki/blob/master/docs/admin/Offline_System_Certificate_Renewal.md#ipa-environment-uses-ldapi

Comment 5 Dinesh Prasanth 2019-04-30 22:47:57 UTC
Scenario 2 (PKI Specific environment) (Use LDAPS):
--------------------------------------------------

# Setting up a fake env:

1. Do a pkispawn CA
2. set date beyond cert expiry
3. Ensure a valid DS certificate is available

# procedure:

https://github.com/dogtagpki/pki/blob/master/docs/admin/Offline_System_Certificate_Renewal.md#standalone-pki-environment-uses-ldaps

# Shortcut procedure for setting up fake env:

Since this step requires configuring TLS on Directory Server, I usually install IPA as it configures everything for us.

1. Do a basic `ipa-server-install`. This would do a TLS configured Directory Server.

2. timedatectl set-ntp false && timedatectl set-time <set time to beyond cert expirty date>

3. Determine the $DS_SERIAL by `certutil -L -d /etc/dirsrv/slapd-REALM/ -n Server-Cert`

4. Determine the $IPA_RA_SERIAL by `keytool -printcert -file /var/lib/ipa/ra-agent.pem`

5. pki-server cert-fix --ldapi-socket /var/run/slapd-REALM.socket --agent-uid admin --extra-cert $DS_SERIAL --extra-cert $IPA_RA_SERIAL

This step just renews a the DS cert and IPA_RA cert as they need to be valid

6. pki-server cert-fix  --ldap-url <LDAP URL> --agent-uid admin # This would fix all the system certs

Comment 6 Dinesh Prasanth 2019-04-30 22:50:31 UTC
Scenario 3 (PKI Specific environment) (can use LDAP or LDAPS):
--------------------------------------------------------------

# Setting up a fake env:

1. Do a pkispawn CA
2. set date beyond cert expiry
3. restart PKI server

# procedure:

https://github.com/dogtagpki/pki/blob/master/docs/admin/Offline_System_Certificate_Renewal.md#manual-renewal-process

Comment 7 Dinesh Prasanth 2019-05-01 17:36:03 UTC
Since testing this tool requires significant efforts, please consider testing https://bugzilla.redhat.com/show_bug.cgi?id=1679480 together with this bug


Note You need to log in before you can comment on or make changes to this bug.