mskaraca--- via FreeIPA-users wrote: > Hi > > I just wanted to say thank you to this list and especially to Rob > Crittenden.. > > I could not log in to freeipa-users, there may be a problem in logging > in with social network accounts. So I am sending this as an email.. > > Firstly My issue was freeIpa was refusing to install my comodo > certificate with a signature algorithm complain. > > I am writing how I solved this issue with a complete CLI > > #recommended by Rob and significant milestone in solving my problem > update-crypto-policies --set DEFAULT:SHA1 > #I received ca-bundle from my CA with my CRT file > sudo ipa-cacert-manage -t C,, install my-domain.ca-bundle > sudo ipa-certupdate > #pem file incudes all the certificate authority chain.. > sudo ipa-server-certinstall --http --dirsrv mydomain.key mydomain.pem > > > > I have only one question > Why didIı need to add this ca file to my freeIPA server? I mean it is > already sgined with a public CA? web servers can easily see and do not > throw any error when I install this certificate. but same is not true > when I install this certificate in IDM or in anyting other than a web > server.. so why do they not know my CA automaticaly? > > is it because this is especially designed for HTTPS connections? Do I > need to request something different or from another vendor, such as verisgn?
Not every public CA chain is present on all machines. The chain is installed on the server using ipa-cacert-manage so it can be distributed to clients with ipa-certupdate. Your certificate is probably fine, though SHA-1 is deprecated. For more details see https://en.wikipedia.org/wiki/SHA-1 rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
