Updating a certificate for a FreeIPA web server

As I install, uninstall, and re-install FreeIPA, I start getting:sec_error_reused_issuer_and_serial. This used to be a minor annoyance, solved by clearing the certificates out of, and restarting, the browser.  Recent versions of Firefox have complained even after doing this, leading to the current approach: clear your browser cache.  Instead, you can update the certificate on the web server, and this should give you a cert with a new serial number, and avoid the error message.

Updating the certificate for your IPA server is somewhat labor intensive, but here’s how to do it.

A FreeIPA install  keeps the certificate  database for the web server in  /etc/http/alias.  The passphrase for this database is stored in the file /etc/http/alias/pwdfile.txt

First, generate a Certificate Signing Request:

 certutil -R -s "CN=$HOSTNAME" -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt  -g 1024 -a > $HOSTNAME.csr

This will ask you to type into a buffer, to provide some entropy for the random algorithm. Once it has generated the request, send it to IPA for signing then import it into your web servers NSS Database:

 
ipa cert-request ./$HOSTNAME.csr --principal=HTTP/`hostname` > $HOSTNAME.crt
 awk '/Certificate:/ {print $3}'  $HOSTNAME.crt | certutil -A -d /etc/httpd/alias/ -n "Server-Cert" -t "u,u,u" -a -f /etc/httpd/alias/pwdfile.txt 

And restart your web server:

service ipa restart

And, of course, restart your browser.

A similar approach will work for any Apache httpd using mod_nss, but you will have to change the step where you get the new certificate.

UPDATE here is a simple script you can use to do it all in one command. This uses the ipa command to get the certificate into the right format, so you don’t need awk.

#!/bin/bash

CSR=`mktemp`
PRINCIPAL=HTTP/`hostname`
CERT=`mktemp`

certutil -R -s "CN=$HOSTNAME" -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt  -g 1024 -a > $CSR
ipa cert-request $CSR --principal=$PRINCIPAL
ipa service-show $PRINCIPAL --out $CERT
certutil -A -d /etc/httpd/alias/  -n "Server-Cert"  -t "u,u,u" -a  -f /etc/httpd/alias/pwdfile.txt -i $CERT

rm $CERT
rm $CSR

1 thought on “Updating a certificate for a FreeIPA web server

  1. Hey Adam,

    I do this to alleviate the ‘sec_error_reused_issuer_and_serial’ problem: (I keep creating a bunch of CA instances)

    1/ Fire up firefox profile-manager,
    # Firefox -ProfileManager

    2/ Delete the profile(assuming it’s just a test profile) which has all the old CA/other subsystem certs in it.

    [or]

    1/ Use a new profile every-time you configure subsystems via firefox.

    HTH

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.