Sorry, hit send too soon. On Tue, Jan 3, 2023 at 1:53 PM Florence Blanc-Renaud <[email protected]> wrote:
> Hi, > > > On Tue, Jan 3, 2023 at 9:20 AM junhou he via FreeIPA-users < > [email protected]> wrote: > >> Hi, >> I did not change anything in /etc/httpd/conf.d/ipa-pki-proxy.conf >> # matches for REST API of CA, KRA, and PKI >> <LocationMatch "^/(ca|kra|pki)/rest/"> >> SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate >> SSLVerifyClient optional >> ProxyPassMatch ajp://localhost:8009 >> secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG >> ProxyPassReverse ajp://localhost:8009 >> </LocationMatch> >> >> [root@wocfreeipa ~]# certutil -L -d /etc/httpd/alias/ >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> WINGON.HK IPA CA CT,C,C >> Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc. CT,C,C >> Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc. CT,C,C >> Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C >> Server-Cert u,u,u >> > ^^ I'm surprised that your http cert is stored in /etc/httpd/alias. With > IPA 4.9.8, httpd is using mod_ssl instead of mod_nss. > The config file /etc/httpd/conf.d/ssl.conf should setup the following: > SSLCertificateFile /var/lib/ipa/certs/httpd.crt > SSLCertificateKeyFile /var/lib/ipa/private/httpd.key > SSLCACertificateFile /etc/ipa/ca.crt > > instead of using /etc/httpd/conf.d/nss.conf with the NSS database. > > Do you have a config file /etc/httpd/conf.d/ssl.conf or > /etc/httpd/conf.d/nss.conf? What is the output of "httpd -M"? > > The server cert seems to be a wildcard cert, can you > Can you show the server cert pem file? I remember issues with wildcard certs as the recommended way is to add SAN extensions IIRC. > flo > > > >> [root@wocfreeipa ~]# certutil -d /etc/httpd/alias/ -O -n Server-Cert >> "Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc." >> [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, >> Inc.",C=US] >> >> "Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc." >> [CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US] >> >> "Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc." >> [CN=Go Daddy Secure Certificate Authority - G2,OU= >> http://certs.godaddy.com/repository/,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US] >> >> "Server-Cert" [CN=*.wingon.hk] >> >> [root@wocfreeipa ~]# certutil -L -d /etc/dirsrv/slapd-WINGON-HK/ >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> CN=*.wingon.hk u,u,u >> WINGON.HK IPA CA CT,C,C >> OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, >> Inc.,C=US C,, >> CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, >> Inc.,L=Scottsdale,ST=Arizona,C=US C,, >> NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate >> Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, >> Inc.,L=Scottsdale,ST=Arizona,C=US C,, >> [root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> caSigningCert cert-pki-ca CTu,Cu,Cu >> ocspSigningCert cert-pki-ca u,u,u >> subsystemCert cert-pki-ca u,u,u >> auditSigningCert cert-pki-ca u,u,Pu >> Server-Cert cert-pki-ca u,u,u >> OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, >> Inc.,C=US C,, >> CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, >> Inc.,L=Scottsdale,ST=Arizona,C=US C,, >> NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate >> Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, >> Inc.,L=Scottsdale,ST=Arizona,C=US C,, >> >> I use ipa-cacert-manage install to add the external CA >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
