Eric Boisvert via FreeIPA-users wrote: > Good afternoon, > > The configuration seem to have been put in /etc/httpd/client.conf see below: > >> <IfModule mod_nss.c> >> <VirtualHost *:443> >> ServerName client >> >> NSSEnforceValidCerts off >> >> NSSEngine on >> >> NSSCipherSuite >> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sh$ >> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >> >> NSSNickname Server-Cert >> >> NSSCertificateDatabase /etc/httpd/nssdb >> >> Redirect permanent / https://client.qc.lrtech.ca/ >> </VirtualHost> >> >> <VirtualHost *:443> >> ServerName client.qc.lrtech.ca >> >> NSSEnforceValidCerts off >> >> NSSEngine on >> >> NSSCipherSuite >> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha$ >> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >> >> NSSNickname Server-Cert >> >> NSSCertificateDatabase /etc/httpd/nssdb >> ProxyRequests Off >> >> ProxyPreserveHost On >> <Proxy *> >> Order deny,allow >> #Deny from all >> Allow from all >> </Proxy> >> ProxyPass / http://127.0.0.1:8169/ retry=0 >> ProxyPassReverse / http://127.0.0.1:8169/ retry=0 >> </VirtualHost> >> </IfModule> > > I tried to restart httpd, certmonger, and my browser but without success. > > > When I do ipa-getcert resubmit -i <id> am I suppose to see something change > freeipa.qc.lrtech.ca/ipa/ui/#/e/cert/search? All I can see is Expired, > Revoked and greyed out certificates.
ipa-certupdate doesn't update /etc/httpd/nssdb which is why it is missing parts of the chain. I'd suggest adding those certificates manually which IIRC you've already done elsewhere. With NSS of the EL7 era, each database is independent. getcert list -i <id> will tell you the current status and issue date of the certificate so you can tell whether one was re-issued. If it isn't in MONITORING then something went wrong. Alternatively you can add -w -v to the end of the resubmit request to watch it in real-time. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
