Does anybody have any clue about what I have to do with it? Florence?
Should I delete self-sign SSL from ipa-server CA completely?
As I understood - there is some conflict between new CA and old, am I right?
2017-11-30 14:33 GMT+03:00 Andrew Radygin via FreeIPA-users <
> > On 11/30/2017 10:30 AM, Andrew Radygin via FreeIPA-users wrote:
> > Hi,
> > no need to start over with a different nickname if the certificates are
> > already in LDAP. "ipa-cacert-manage install" adds them in the LDAP
> > server below cn=certificates,cn=ipa,cn=etc,$BASEDN, so I would start by
> > checking if they are all present there:
> > ldapsearch -h localhost -p 389 -D cn=directory\ manager -W -b
> > cn=certificates,cn=ipa,cn=etc,$BASEDN
> > (replace BASEDN with your deployment's basedn that can be found in
> > /etc/ipa/default.conf)
> > The entries will also contain an attribute ipakeytrust (either trusted
> > or distrusted). Please check that they are all trusted.
> All CA's in ldap directory have 'ipaKeyTrust: trusted'.
> > That is expected as ipa-certupdate
> > retrieves the certs from LDAP and
> > installs them in the /etc/httpd/alias NSS database.
> > You can supply multiple files to ipa-server-certinstall, containing the
> > cert, the key, and the cert chain. For instance
> > ipa-server-certinstall -w server.cert server.key cachain.cert
> > where server.cert contains only the cert, server.key only the key, and
> > cachain.cert contains the root, inter1 and inter2 certs.
> Got it!
> Wow, I found what I missed.
> One of the certs from chain isn't adding with forllowing error:
> # ipa-cacert-manage -p 2xHKp17zQpdG -n Comodointer2 -t C,, install
> Installing CA certificate, please wait
> Failed to install the certificate: subject public key info mismatch
> The ipa-cacert-manage command failed.
> Probably this is root cause of the problem, but it's not clear for me how
> to resolve it.
> I found description of the error:
> Subject public key info mismatch
> The new CA certificate issued by the external CA uses a different
> public / private key pair than the old CA certificate.
> But nothing about how to fix it...
> > Flo
> FreeIPA-users mailing list -- firstname.lastname@example.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Best regards, Andrew.
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org