Benjamin Reed wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/23/11 12:02 PM, Simo Sorce wrote:
One thing you can test is if the ca.crt exposed via http is the same
that is stored on the server in /etc/ipa/ca.crt

they are identical, I did find that the errors file is complaining about
this:

[22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher AES
[22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have
been renewed since the key is wrapped.  To recover the encrypted
contents, keep the wrapped symmetric key value.
[22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher 3DES
[22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have
been renewed since the key is wrapped.  To recover the encrypted
contents, keep the wrapped symmetric key value.
[22/Dec/2011:21:31:16 -0600] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.

These are not related. IIRC 389-ds generates symmetric keys automatically when it is first started and if you've replaced your NSS cert db in the meantime those keys are not available. This would only be a problem if you decided to use per-attribute encryption at some future point.

You might want to try pulling the CA out of the DS instance and comparing that to what is being served up by the HTTP server:

certutil -L -d /etc/dirsrv/slapd-INSTANCE to get the list of certs

This to get a specific cert

certutil -L -n 'some nickname' -d /etc/dirsrv/slapd-INSTANCE -a > /tmp/dsca.crt

The error here is that the client doesn't trust the certificate that 389-ds is using.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to