Wow, Flo!!!
You were right, there was such cert with another key.
Done that in such way:
ldapdelete "cn=Comodo3,cn=certificates,cn=ipa,cn=etc,dc=domain,dc=net"
/usr/bin/certutil -d /etc/ipa/nssdb -D -n Comodo3
/usr/bin/certutil -d /etc/httpd/alias/ -D -n Comodo3
ipa-cacert-manager install comodo_inter2.crt
ipa-server-certinstall -w comodo_base.crt comodo.key comodo_ca.crt
systemctl restart httpd

Thank you, really-really thank you! :)

2017-12-01 11:40 GMT+03:00 Florence Blanc-Renaud <f...@redhat.com>:

> On 12/01/2017 09:29 AM, Andrew Radygin via FreeIPA-users wrote:
>
>> Does anybody have any clue about what I have to do with it? Florence?
>> Should I delete self-sign SSL from ipa-server CA completely?
>> As I understood - there is some conflict between new CA and old, am I
>> right?
>>
>> Hi,
>
> can you check if there are other certificates with the same subject name
> "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA
> Domain Validation Secure Server CA" in the ldap tree (below
> cn=certificates,cn=ipa,cn=etc,$BASEDN), or in /etc/httpd/alias?
> The error seems to indicate that there is already a cert with this name
> but that is using a different key.
>
> If it is the case, you can remove it with ldapdelete then certutil -D and
> retry to run ipa-cacert-manage install.
>
> Flo
>
> 2017-11-30 14:33 GMT+03:00 Andrew Radygin via FreeIPA-users <
>> freeipa-users@lists.fedorahosted.org <mailto:freeipa-us...@lists.fe
>> dorahosted.org>>:
>>
>>
>>     > On 11/30/2017 10:30 AM, Andrew Radygin via FreeIPA-users wrote:
>>     >
>>     > Hi,
>>     >
>>     > no need to start over with a different nickname if the certificates
>> are
>>     > already in LDAP. "ipa-cacert-manage install" adds them in the LDAP
>>     > server below cn=certificates,cn=ipa,cn=etc,$BASEDN, so I would
>> start by
>>     > checking if they are all present there:
>>     > ldapsearch -h localhost -p 389 -D cn=directory\ manager -W -b
>>     > cn=certificates,cn=ipa,cn=etc,$BASEDN
>>     > (replace BASEDN with your deployment's basedn that can be found in
>>     > /etc/ipa/default.conf)
>>     >
>>     > The entries will also contain an attribute ipakeytrust (either
>> trusted
>>     > or distrusted). Please check that they are all trusted.
>>
>>     All CA's in ldap directory have 'ipaKeyTrust: trusted'.
>>
>>     > That is expected as ipa-certupdate
>>     > retrieves the certs from LDAP and
>>     > installs them in the /etc/httpd/alias NSS database.
>>     >
>>     > You can supply multiple files to ipa-server-certinstall, containing
>> the
>>     > cert, the key, and the cert chain. For instance
>>     > ipa-server-certinstall -w server.cert server.key cachain.cert
>>     > where server.cert contains only the cert, server.key only the key,
>> and
>>     > cachain.cert contains the root, inter1 and inter2 certs.
>>
>>     Got it!
>>
>>     Wow, I found what I missed.
>>     One of the certs from chain isn't adding with forllowing error:
>>
>>     # ipa-cacert-manage -p 2xHKp17zQpdG -n Comodointer2 -t C,, install
>>     comodo_inter2.crt
>>     Installing CA certificate, please wait
>>     Failed to install the certificate: subject public key info mismatch
>>     The ipa-cacert-manage command failed.
>>
>>     Probably this is root cause of the problem, but it's not clear for
>>     me how to resolve it.
>>     From
>>     https://www.freeipa.org/page/Troubleshooting
>>     <https://www.freeipa.org/page/Troubleshooting>
>>     I found description of the error:
>>
>>     Subject public key info mismatch
>>          The new CA certificate issued by the external CA uses a
>>     different public / private key pair than the old CA certificate.
>>
>>     But nothing about how to fix it...
>>
>>      > Flo
>>     _______________________________________________
>>     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>     <mailto:freeipa-users@lists.fedorahosted.org>
>>     To unsubscribe send an email to
>>     freeipa-users-le...@lists.fedorahosted.org
>>     <mailto:freeipa-users-le...@lists.fedorahosted.org>
>>
>>
>>
>>
>> --
>> Best regards, Andrew.
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
>


-- 
Best regards, Andrew.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to