On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote:
Hi, As state in
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
I cannot login in FreeIPA web page.
So I update CA by :
# delete everything except IPA CA of httpd and dirsrv
certutil -d /etc/http/alias -D -n 'xxx'
# ca-bundle.crt is 3 files named USERTrust, .etc.
# server.all is an combination of my certificate signed by Sectigo( fomerly
named Comodo).
openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all -out Server-Cert.p12
-name "Server-Cert"
# add to httpd and dirsrv.
pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert
I restart all services by ipactl restart. But it seems pki-tomcat fails to
startup.
#### log of ipactcl start ####
Starting pki-tomcatd Service
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/bin/systemctl start pki-tomcatd.target
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: request POST
http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus
ipa: DEBUG: request body ''
ipa: DEBUG: response status 500
ipa: DEBUG: response headers Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 2208
Date: Wed, 17 Jun 2020 09:13:19 GMT
Connection: close
ipa: DEBUG: response body '<html><head><title>Apache Tomcat/7.0.76 - Error
report</title><style><!--H1 {font-family:Tahoma,Arial,sans-s
......
ipa: DEBUG: Failed to check CA status: Retrieving CA status failed with status
500
ipa: DEBUG: Waiting until the CA is running
#### END of log #####
Here is log of pki-tomcat
###
Internal Database Error encountered: Could not connect to LDAP server host
wocfreeipa.sap.wingon.hk port 636 Error netscape.ldap.LDAPException: Unable to
create socket: org.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172)
Peer's certificate issuer has been marked as not trusted by the user. (-1)
###
The point is ' Peer's certificate issuer has been marked as not trusted by the
user.' As far as I know pki-tomcat needs a certificate to bind to 389 DS and
store information.
But I didn't touch CA named 'IPA CA', so basically pki-tomcatd could use its
own certificate named 'substemCert cert-pki-ca' to bind to 389 DS.
Please help.
Hi,
the new CA certs from Sectigo need to be installed with
ipa-cacert-manage install (the command uploads the certs in the LDAP
database). For more information, please refer to "Installing a CA
Certificate Manually" [1].
As the chain contains multiple certs, you need to start from the root
cert then go down the chain. When all the certs have been added, don't
forget to run ipa-certupdate on all the IPA hosts (the command downloads
the certs from LDAP and puts them in all the NSSDBs that need them).
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/manual-cert-install
Thanks a lot.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
