lejeczek via FreeIPA-users wrote:
> hi everyone
> 
> apologies first and foremost as this does not concert IPA directly, I've
> tried apache's list but no help I found there(yet). So I know Apache's
> experts traverse here thus maybe more luck here.
> I'm experiencing a weird thing. What I'm trying to do I believe must be
> so common that many of you have done it and thus could advice.
> I converted my let's encrypt cert into a new cert8.db(but also tried
> cert9.db, as belowe), and I have in config:
> 
> <VirtualHost none.net:443>
>   DocumentRoot /usr/share/wordpress.none
>   DirectoryIndex index.php index.html
>   ServerName none.net
>   ServerAlias www
> 
>   NSSEngine on
>   NSSCipherSuite
> +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> 
>   NSSCertificateDatabase sql:/etc/httpd/none
>   NSSNickname "none.net - Let's Encrypt"
> 
>   ErrorLog /var/log/httpd/none.net_443-error.log
>   CustomLog /var/log/httpd/none.net_443-access.log common
> 
> When I do:
> 
> $ certutil -L -d sql:/etc/httpd/none/
> 
> Certificate Nickname                                         Trust
> Attributes
> SSL,S/MIME,JAR/XPI
> 
> none.net - Let's Encrypt                                   u,u,u
> Let's Encrypt Authority X3 - Digital Signature Trust Co.     CT,C,C
> 
> So all good, right? Cert is there in the database, yet Apache fails to
> start.
> 
> ...
> [Thu Jan 04 15:34:17.188664 2018] [:error] [pid 21849:tid
> 140612518500608] Certificate not found: 'none.net'
> ...
> 
> Is this not ... well, strange.
> I presume NSS can handle multiple NSSCertificateDatabase(per VirtualHost) ?
> Not files permission, not selinux.
> What can be a problem here?

There can be only one NSSCertificateDatabase right now. I've been toying
with NSS contexts which might allow multiple but it is pretty low
priority-wise.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to