Polavarapu Manideep Sai via FreeIPA-users wrote: > Hi Team, > > > > I have a vulnerability on port 8443 reported by Nessus scanner > > > > I have third-party certificate already installed at LDAP and Apache > services > > > > I have root and intermediate certificate also installed on pki-tomcat > service as shown below > > > > The certificate caSigningCert cert-pki-ca which is causing this > vulnerability > > > > Any Suggestions to overcome this issue? > > > > > > [root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n > 'caSigningCert cert-pki-ca' |egrep -i 'Issuer:|Subject:' > > Issuer: "CN=Certificate Authority,O=IPA.EXAMPLE.COM" > > Subject: "CN=Certificate Authority,O=IPA.EXAMPLE.COM" > > > > > > [root@aaa01 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-EXAMPLE-COM/ > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > CN=*.IPA.EXAMPLE.COM > > u,u,u > > IPA.EXAMPLE.COM IPA > CA CT,C,C > > NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate > Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C > > CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C > > OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, > Inc.,C=US CT,C,C > > [root@aaa01 ~]# > > [root@aaa01 ~]# > > > > > > [root@aaa01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > caSigningCert cert-pki-ca CTu,Cu,Cu > > ocspSigningCert cert-pki-ca u,u,u > > Server-Cert cert-pki-ca u,u,u > > subsystemCert cert-pki-ca u,u,u > > auditSigningCert cert-pki-ca u,u,Pu > > NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate > Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C > > CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US CT,C,C > > OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, > Inc.,C=US CT,C,C > > > > > > Scanning Report and Solution Given: > > > > 8443 SSL Certificate Cannot Be Trusted The SSL > certificate for this service cannot be trusted. > > 8443 SSL Self-Signed Certificate "The SSL certificate > chain for this service ends in an unrecognized > > self-signed certificate." > > > > Solution: > > > > Purchase or generate a proper SSL certificate for this service.
Scanners. There is nothing wrong with this CA cert. Self-signed doesn't have to mean "bad". Nothing outside the IPA machine should even be able to talk to it so it's not a problem even if the CA cert were somehow bad, and it isn't. You can ignore this. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
