On 05/29/2013 01:42 AM, John Moyer wrote:
Yea I replaced both certs, however, in my troubleshooting I've found
more I'll say symptoms or potential problems, which may stem from
this or be independent from it.
1. Showing this error message on restarting the service:
EXAMPLE-COM...[29/May/2013:05:30:58 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime
error -8172 - Peer's certificate issuer has been marked as not
trusted by the user.)
The error is saying the CA which signed your new cert is either unknown
or untrusted. Trusted CA's must be in the NSS database which is being
referenced, which in this case I believe is /etc/httpd/alias.
By default we don't add other root CA's to this database so you'll have
to add it. To see what is in the database do this:
sudo certutil -d /etc/httpd/alias -L -h internal
FWIW the "-h internal" means to also examine any preloaded CA's that may
have been added with modutil.
If CA the signed your cert is one of the standard trusted ones you can
add the entire set of trusted CA's with modutil
% sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias
But that's a big hammer, you might be better off just manually just
adding the CA that signed your cert and adding trust for it. Examples
can be found here:
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
--
John Dennis <[email protected]>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
