James Roman wrote:
I installed the 1.2.2-1 version from the test repo. I get really close to the end, but it is still bombing when trying to set the trust permissions on the web server cert. For some reason the final cert in the chain did not get installed into the /etc/httpd/alias directory. All worked fine for the directory server.

Strange, Does the valicert.com certificate exist in the DS database?

I guess I assumed that if the certificate was in the PKCS#12 file then it would be loaded by NSS. That doesn't seem to be the case.

This patch should help. It will log the failure of setting trust but will continue. If the certificate is indeed not needed then it shouldn't hurt anything.

diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py
index 95e6ac7..3782acf 100644
--- a/ipa-server/ipaserver/certs.py
+++ b/ipa-server/ipaserver/certs.py
@@ -386,8 +386,11 @@ class CertDB(object):
          if root_nickname[:7] == "Builtin":
logging.debug("No need to add trust for built-in root CA's, skippi
-             self.run_certutil(["-M", "-n", root_nickname,
-                                "-t", "CT,CT,"])
+             try:
+                 self.run_certutil(["-M", "-n", root_nickname,
+                                    "-t", "CT,CT,"])
+             except ipautil.CalledProcessError, e:
+ logging.error("Setting trust on %s failed" % root_nickname)

     def find_server_certs(self):
         p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,

The file to modify on an installed system is /usr/lib[64]/python*/site-packages/ipaserver/certs.py

Let me know if this fixes it for you and I'll see about getting this committed.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-users mailing list

Reply via email to