On 05/01/18 20:59, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
hi everyone

apologies first and foremost as this does not concert IPA directly, I've
tried apache's list but no help I found there(yet). So I know Apache's
experts traverse here thus maybe more luck here.
I'm experiencing a weird thing. What I'm trying to do I believe must be
so common that many of you have done it and thus could advice.
I converted my let's encrypt cert into a new cert8.db(but also tried
cert9.db, as belowe), and I have in config:

<VirtualHost none.net:443>
   DocumentRoot /usr/share/wordpress.none
   DirectoryIndex index.php index.html
   ServerName none.net
   ServerAlias www

   NSSEngine on
   NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

   NSSCertificateDatabase sql:/etc/httpd/none
   NSSNickname "none.net - Let's Encrypt"

   ErrorLog /var/log/httpd/none.net_443-error.log
   CustomLog /var/log/httpd/none.net_443-access.log common

When I do:

$ certutil -L -d sql:/etc/httpd/none/

Certificate Nickname                                         Trust
Attributes
SSL,S/MIME,JAR/XPI

none.net - Let's Encrypt                                   u,u,u
Let's Encrypt Authority X3 - Digital Signature Trust Co.     CT,C,C

So all good, right? Cert is there in the database, yet Apache fails to
start.

...
[Thu Jan 04 15:34:17.188664 2018] [:error] [pid 21849:tid
140612518500608] Certificate not found: 'none.net'
...

Is this not ... well, strange.
I presume NSS can handle multiple NSSCertificateDatabase(per VirtualHost) ?
Not files permission, not selinux.
What can be a problem here?
There can be only one NSSCertificateDatabase right now. I've been toying
with NSS contexts which might allow multiple but it is pretty low
priority-wise.

rob
you guys are the best, not for freeipa only, but as for "helpers" too.
many! thanks.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to