Vladimir Kulev wrote:
Hello,

After installing FreeIPA I followed instructions from
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP to
use globally trusted certificates for HTTP/LDAP server interface to
secure other systems provisioning.

What version of IPA?

Then it went out that pki-tomcatd is not able to start anymore because
of this:
| NFO: Deploying web application directory
/var/lib/pki/pki-tomcat/webapps/ca
| SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
| SSLAuthenticatorWithFallback: Setting container
| SSLAuthenticatorWithFallback: Initializing authenticators
| SSLAuthenticatorWithFallback: Starting authenticators
| 01:48:31,313 DEBUG
(org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to
retrieve ServletContext: expandEntityReferences defaults to true
| 01:48:31,320 DEBUG
(org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to
retrieve ServletContext: expandEntityReferences defaults to true
| Internal Database Error encountered: Could not connect to LDAP server
host ipa.mydomain.com <http://ipa.mydomain.com/> port 636 Error
netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)

Meanwhile dirsrv tells me "Peer does not recognize and trust the CA that
issued your certificate."

I tried to fix trust by adding various certificates with certutil
to /etc/dirsrv/slapd/ and /etc/pki/pki-tomcat/alias/, but nothing
helped. Does anyone have a suggestion how to fix the situation?

You shouldn't need to change anything on the 389-ds side assuming it trusts its own CA properly.

You should just need to add the CA that signed the 389-ds cert to dogtag and restart. What is full certutil command you are using?

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to