Ian Pilcher via FreeIPA-users wrote:
> On 06/20/2017 11:38 PM, Ian Pilcher wrote:
>> If I don't specify the SSL_DIR, the curl command works, so it
>> definitely seems to be an issue with the NSS database in
>> /etc/httpd/alias.  I don't see anything obviously wrong with the trust
>> flags, though:
>>   # certutil -d /etc/httpd/alias -L
>>   Certificate Nickname                                         Trust
>> Attributes
>>   Server-Cert                                                  u,u,u
>>   ipaCert                                                      u,u,u
>>   PENURIO.US IPA CA                                            CT,C,C
>>   Let's Encrypt Authority X3 - Digital Signature Trust Co.     ,,
>>   www.penurio.us                                               u,u,u
> Trial and error for the win!
> It seems as if the NSS database in /etc/httpd/alias had become subtly
> corrupted, so that the trust flags shown by certutil for the CA
> certificate were not accurate.
> After clearing (-t ',,') and resetting (-t 'C,C,C') the trust flags,
> curl works, and certmonger has renewed my expired certificates.
> That was not fun.

Well, I'm glad it's working, but I'm confused by your setup. Are you
still using the Apache Server-Cert or are you using the Let's Encrypt
cert? If the latter then you should disable tracking on Server-Cert. Off
the top of my head I can't think of any issues it might cause but it is
very possible some IPA renewal script dropped the trust on the Let's
Encrypt CA since it isn't in the chain of the Server-Cert (or ipaCert).

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to