John,
I see the following when I ran that first command.
sudo certutil -d /etc/httpd/alias -L -h internal
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc. ,,
MyIPA CTu,Cu,u
So being that I have no fear (or am just real dumb, I really feel it's just
both) I used that command and got this error after hitting enter to continue:
sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
ERROR: Failed to add module "ca_certs". Probable cause : "Unknown PKCS #11
error.".
I then did the first command again (to see what I messed up) and it looks
identical as shown below:
sudo certutil -d /etc/httpd/alias -L -h internal
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc. ,,
MyIPA CTu,Cu,u
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On May 29, 2013, at 8:36 AM, John Dennis <[email protected]> wrote:
> On 05/29/2013 01:42 AM, John Moyer wrote:
>> Yea I replaced both certs, however, in my troubleshooting I've found
>> more I'll say symptoms or potential problems, which may stem from
>> this or be independent from it.
>>
>> 1. Showing this error message on restarting the service:
>> EXAMPLE-COM...[29/May/2013:05:30:58 +0000] - SSL alert:
>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA
>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime
>> error -8172 - Peer's certificate issuer has been marked as not
>> trusted by the user.)
>
> The error is saying the CA which signed your new cert is either unknown or
> untrusted. Trusted CA's must be in the NSS database which is being
> referenced, which in this case I believe is /etc/httpd/alias.
>
> By default we don't add other root CA's to this database so you'll have to
> add it. To see what is in the database do this:
>
> sudo certutil -d /etc/httpd/alias -L -h internal
>
> FWIW the "-h internal" means to also examine any preloaded CA's that may have
> been added with modutil.
>
> If CA the signed your cert is one of the standard trusted ones you can add
> the entire set of trusted CA's with modutil
>
> % sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias
>
> But that's a big hammer, you might be better off just manually just adding
> the CA that signed your cert and adding trust for it. Examples can be found
> here:
>
> http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
>
>
> --
> John Dennis <[email protected]>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
