Harald Dunkel via FreeIPA-users wrote:
> Hi Rob,
> 
> On 12/06/17 17:39, Rob Crittenden via FreeIPA-users wrote:
>> Harald Dunkel via FreeIPA-users wrote:
>>> See attachment.
>>>
>>> Please note the "invalid certificate". Du you remember the thread
>>> on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails
>>> after root certificate change via ipa-cacert-manage" and the
>>> output of "ipa-certupdate -v" I had posted?
>>>
>>
>> The ipa-certupdate error was a red herring. IPA was just looking for all
>> possible CA certs it could know about.
>>
> OK.
> 
>> It does look like the trust is wrong on your CA cert in the tomcat NSS
>> database.
>>
>> # certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
>> [ snip ]
>> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
>>
>> If yours isn't that
> 
> Sorry, but I don't understand. My what isn't what?

If your entry doesn't look like that, which it does.

>> you can try modifying it with:
>>
>> # certutil -M -d /var/lib/pki/pki-tomcat/ca/alias -n "caSigningCert
>> cert-pki-ca" -t CTu,Cu,Cu
>>
> Here is what I see on the broken ipa server:
> 
> 
> [root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> 
> Certificate Nickname                                         Trust Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
> 
> Server-Cert cert-pki-ca                                      u,u,u
> subsystemCert cert-pki-ca                                    u,u,u
> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
> auditSigningCert cert-pki-ca                                 u,u,Pu
> ocspSigningCert cert-pki-ca                                  u,u,u
> CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
> CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  ,,
> 
> 
> The CN=example Root CA,... certificate is unwanted. It did not expire,
> but it uses an invalid format for its expiration date. I ran ipa-cacert-manage
> to replace it with the CN=root-CA,... certificate a few months ago.
> 
> 
> The certificate database on another ipa server (not broken yet, as it
> seems) looks different:
> 
> 
> [root@ipa2 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> 
> Certificate Nickname                                         Trust Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
> 
> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
> subsystemCert cert-pki-ca                                    u,u,u
> CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
> CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  C,,
> ocspSigningCert cert-pki-ca                                  u,u,u
> auditSigningCert cert-pki-ca                                 u,u,Pu
> Server-Cert cert-pki-ca                                      u,u,u
> 
> 
> I would highly appreciate any advice how to cleanup this mess.
> 
> How comes that the unwanted "example Root CA" is still in the databases at
> all? Due to the broken format I have to get rid of it asap.

What is broken about the cert? I can only assume you installed your IPA
server by having an external CA sign it. It would appear that this
external CA, in your case CN=root-ca, isn't trusted hence the server
won't start.

To fix this you could run:

# certutil -M -d /var/lib/pki/pki-tomcat/ca/alias -n
"CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE" -t C,,

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to