> On 11/30/2017 10:30 AM, Andrew Radygin via FreeIPA-users wrote:
> Hi,
> no need to start over with a different nickname if the certificates are 
> already in LDAP. "ipa-cacert-manage install" adds them in the LDAP 
> server below cn=certificates,cn=ipa,cn=etc,$BASEDN, so I would start by 
> checking if they are all present there:
> ldapsearch -h localhost -p 389 -D cn=directory\ manager -W -b 
> cn=certificates,cn=ipa,cn=etc,$BASEDN
> (replace BASEDN with your deployment's basedn that can be found in 
> /etc/ipa/default.conf)
> The entries will also contain an attribute ipakeytrust (either trusted 
> or distrusted). Please check that they are all trusted.

All CA's in ldap directory have 'ipaKeyTrust: trusted'.

> That is expected as ipa-certupdate
> retrieves the certs from LDAP and 
> installs them in the /etc/httpd/alias NSS database.
> You can supply multiple files to ipa-server-certinstall, containing the 
> cert, the key, and the cert chain. For instance
> ipa-server-certinstall -w server.cert server.key cachain.cert
> where server.cert contains only the cert, server.key only the key, and 
> cachain.cert contains the root, inter1 and inter2 certs.

Got it!

Wow, I found what I missed. 
One of the certs from chain isn't adding with forllowing error:

# ipa-cacert-manage -p 2xHKp17zQpdG -n Comodointer2 -t C,, install 
Installing CA certificate, please wait
Failed to install the certificate: subject public key info mismatch
The ipa-cacert-manage command failed.

Probably this is root cause of the problem, but it's not clear for me how to 
resolve it.
I found description of the error:

Subject public key info mismatch
    The new CA certificate issued by the external CA uses a different public / 
private key pair than the old CA certificate.

But nothing about how to fix it...

> Flo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to