証明書の更新

証明書の仕組みとは

誰か説明してくれ

なんかよくわからないが, インストールして何年かすると，証明書の期限が切れるっぽいな．

証明書が切れそうになると自動で継続申請を出す certmonger デーモンが走ることになっているのだが，「はい？なにこれ？わかんねーよ死ねぼけ」と停止させてしまう管理人がいると，こういう事態が発生する

すると

こんな感じで調子が悪くなる．こうなってしまうと

ib2007-3 # ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
1 service(s) are not running

となってしまう．どうしたらいいんだこれ．ここに直し方が書いてあった.

まずはいずれかのサーバーで

ib2007-3 # ipa-cert-fix
                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed:

Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=229.249.10.1016485.VLAN.KUINS.NET
  Serial:  4
  Expires: 2021-11-23 02:14:34

Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=229.249.10.1016485.VLAN.KUINS.NET
  Serial:  2
  Expires: 2021-11-23 02:14:33

Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=229.249.10.1016485.VLAN.KUINS.NET
  Serial:  5
  Expires: 2021-11-23 02:14:35

Enter "yes" to proceed: yes
Proceeding.
Renewed Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=229.249.10.1016485.VLAN.KUINS.NET
  Serial:  268369934
  Expires: 2024-05-03 11:16:05

Renewed Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=229.249.10.1016485.VLAN.KUINS.NET
  Serial:  268369935
  Expires: 2024-05-03 11:16:06

Renewed Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=229.249.10.1016485.VLAN.KUINS.NET
  Serial:  268369936
  Expires: 2024-05-03 11:16:08

Becoming renewal master.
Restarting IPA

Note: Monitor the certmonger-initiated renewal of
certificates after ipa-cert-fix and wait for its completion before
any other administrative task.

The ipa-cert-fix command was successful

ib2007-3 # ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

ib2007-3 # ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

すると，動き始める：

他のサーバーでも同じことをする.