lejeczek via FreeIPA-users wrote: > hi everyone > > apologies first and foremost as this does not concert IPA directly, I've > tried apache's list but no help I found there(yet). So I know Apache's > experts traverse here thus maybe more luck here. > I'm experiencing a weird thing. What I'm trying to do I believe must be > so common that many of you have done it and thus could advice. > I converted my let's encrypt cert into a new cert8.db(but also tried > cert9.db, as belowe), and I have in config: > > <VirtualHost none.net:443> > DocumentRoot /usr/share/wordpress.none > DirectoryIndex index.php index.html > ServerName none.net > ServerAlias www > > NSSEngine on > NSSCipherSuite > +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > NSSCertificateDatabase sql:/etc/httpd/none > NSSNickname "none.net - Let's Encrypt" > > ErrorLog /var/log/httpd/none.net_443-error.log > CustomLog /var/log/httpd/none.net_443-access.log common > > When I do: > > $ certutil -L -d sql:/etc/httpd/none/ > > Certificate Nickname Trust > Attributes > SSL,S/MIME,JAR/XPI > > none.net - Let's Encrypt u,u,u > Let's Encrypt Authority X3 - Digital Signature Trust Co. CT,C,C > > So all good, right? Cert is there in the database, yet Apache fails to > start. > > ... > [Thu Jan 04 15:34:17.188664 2018] [:error] [pid 21849:tid > 140612518500608] Certificate not found: 'none.net' > ... > > Is this not ... well, strange. > I presume NSS can handle multiple NSSCertificateDatabase(per VirtualHost) ? > Not files permission, not selinux. > What can be a problem here?
There can be only one NSSCertificateDatabase right now. I've been toying with NSS contexts which might allow multiple but it is pretty low priority-wise. rob _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org