Replace service certificates with ipa-server-certinstall

[rcritten]

Replace service certificates with ipa-server-certinstall

Also revoke existing IPA-issued certificates.

ipa-server-certinstall does not update the HTTP or ldap service
entries when the the new certificates. This is confusing when
looking at the service entries because it looks like the new
certificates are not active, when they are.

Fixes: https://pagure.io/freeipa/issue/9417

[flo-renaud]

@rcritten
thanks for the PR, the code works fine. Please find inline comments below.

[flo-renaud]

The option append=False introduces a slightly different behavior for IPA-issued certs and 3rd-party certs.
When the LDAP server cert is issued by IPA and renewed by IPA, the new certificate is added to the service entry and the old one is kept: https://github.com/freeipa/freeipa/blob/master/ipaserver/plugins/cert.py#L961-L968
With this code, if the LDAP server cert is a 3rd-party cert, it replaces the old cert in the service entry (the old cert is removed).

IMO the logic should be similar in both cases (either always replace or always add). No strong opinion on the best choice.

[rcritten]

It's been a while so I forget my reasoning. I think it may be related to what cert-find returned since it also looks in the service cert values. I'll double-check.

[flo-renaud]

I am not comfortable with the revocation of the previous cert. For instance, if the same 3rd-party cert is used initially for both LDAP and HTTP but later on the administrator realizes he should reduce the attack surface and replaces the LDAP cert with another one (in order to have a distinct cert for each service), he doesn't want to revoke the HTTP cert.
I know that 3rd part certs can't be revoked inside IPA but that's just an example for a scenario where replacing a cert is not synonym of revoking a cert.

[rcritten]

But they should be able to issue a new HTTP, LDAP or PKINIT cert from IPA using certmonger. I'll give that a try but I don't see why it wouldn't work.

[rcritten]

So yes, it's possible. I tested replacing the Apache and LDAP certs with 3rd party certs, then replaced those with IPA-issued certificates.

For Apache you first need to move the cert and key out of the way (or remove them). Then you can have certminger issue a new one:

ipa-getcert request -f /var/lib/ipa/certs/httpd.crt -k /var/lib/ipa/private/httpd.key -p /var/lib/ipa/passwds/ipa.example.test-443-RSA -D ipa.example.test -D ipa-ca.example.test -K HTTP/ipa.example.test@EXAMPLE.TEST -C /usr/libexec/ipa/certmonger/restart_httpd -T caIPAserviceCert -v -w

Restart httpd: systemctl restart httpd

The paths are the same for all HTTP certs, CA-issued or 3rd party

For 389-ds you can request a new cert:

ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-TEST -n Server-Cert -p /etc/dirsrv/slapd-EXAMPLE-TEST/pwdfile.txt -D ipa.example.test -K ldap/ipa.example.test@EXAMPLE.TEST -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-TEST" -T caIPAserviceCert -v -w

Stop dirsrv

Edit dse.ldif and replace nsSSLPersonalitySSL with Server-Cert, or whatever nickname was chosen, then restart dirsrv.

Done and the certs are replaced and tracked now.

[rcritten]

In fact, I blogged about this a few years ago https://rcritten.wordpress.com/2019/05/07/how-do-i-revert-back-to-using-ipa-issued-web-ldap-certs/

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[abbra]

can we rebase this one?