Oleksandr Nacho via FreeIPA-users wrote: > Hi, > We have two replicated ipa-server-4.9.11-5.0.2.module+el8 with a wildcard > cert from Sectigo for httpd and dirsrv > Now I installed the third one ipa-server-4.10.2-4.0.1.el9 and it works, users > can log in, replication works, etc. > But while installing certificates for httpd and dirsrv ( > ipa-server-certinstall -w -d mysite.key mysite.crt ) I've got an error: > > ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, > exception: ScriptError: CA certificate CN=AAA Certificate Services,O=Comodo > CA Limited,L=Salford,ST=Greater Manchester,C=GB in mysite.key, mysite.crt is > not valid: certutil: certificate is invalid: The certificate was signed using > a signature algorithm that is disabled because it is not secure. > > As I understand this is because AAA Certificate has a Signature Algorithm: > sha1WithRSAEncryption > Someone know how can I fix this?
The NSS library is throwing SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED. Looks like it is related to crypto policy. I think you'll need to either relax the policy or, better, get a new certificate. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
