On 06/21/2017 08:54 AM, Rob Crittenden wrote:
Ian Pilcher via FreeIPA-users wrote:
On 06/20/2017 11:38 PM, Ian Pilcher wrote:

   # certutil -d /etc/httpd/alias -L

   Certificate Nickname                                         Trust


   Server-Cert                                                  u,u,u
   ipaCert                                                      u,u,u
   PENURIO.US IPA CA                                            CT,C,C
   Let's Encrypt Authority X3 - Digital Signature Trust Co.     ,,
   www.penurio.us                                               u,u,u

Well, I'm glad it's working, but I'm confused by your setup. Are you
still using the Apache Server-Cert or are you using the Let's Encrypt
cert? If the latter then you should disable tracking on Server-Cert. Off
the top of my head I can't think of any issues it might cause but it is
very possible some IPA renewal script dropped the trust on the Let's
Encrypt CA since it isn't in the chain of the Server-Cert (or ipaCert).

The Let's Encrypt intermediate CA certificate and the www.penurio.us
certificate (issued by Let's Encrypt) are used only for an Internet-
facing reverse proxy virtual host.  They are not used for anything IPA-

The issue seems to have been the trust flags on the PENURIO.US IPA CA
certificate.  For whatever reason, it wasn't being trusted even though
certutil was showing it as CT,C,C.

I "reset" the trust flags by running:

  certutil -d /etc/httpd/alias -M -n 'PENURIO.US IPA CA' -t ',,'
  certutil -d /etc/httpd/alias -M -n 'PENURIO.US IPA CA' -t 'C,C,C'

And things started working.

I did find it interesting that the trust flags still showed as T,,
after I ran the first command, and it's showing as CT,C,C now.  It
appears that certutil is either not affecting the T flag, or it is not
displaying the trusts accurately.

Ian Pilcher                                         arequip...@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to