On Thu, Aug 15, 2013 at 3:58 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Vladimir Kulev wrote: > >> Hello, >> >> After installing FreeIPA I followed instructions from >> http://www.freeipa.org/page/**Using_3rd_part_certificates_**for_HTTP/LDAP<http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>to >> use globally trusted certificates for HTTP/LDAP server interface to >> secure other systems provisioning. >> > > What version of IPA? > FreeIPA version is 3.2.2-1.fc19, the latest for Fedora 19 > > Then it went out that pki-tomcatd is not able to start anymore because >> of this: >> | NFO: Deploying web application directory >> /var/lib/pki/pki-tomcat/**webapps/ca >> | SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback >> | SSLAuthenticatorWithFallback: Setting container >> | SSLAuthenticatorWithFallback: Initializing authenticators >> | SSLAuthenticatorWithFallback: Starting authenticators >> | 01:48:31,313 DEBUG >> (org.jboss.resteasy.plugins.**providers.DocumentProvider:60) - Unable to >> retrieve ServletContext: expandEntityReferences defaults to true >> | 01:48:31,320 DEBUG >> (org.jboss.resteasy.plugins.**providers.DocumentProvider:60) - Unable to >> retrieve ServletContext: expandEntityReferences defaults to true >> | Internal Database Error encountered: Could not connect to LDAP server >> host ipa.mydomain.com <http://ipa.mydomain.com/> port 636 Error >> >> netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) >> >> Meanwhile dirsrv tells me "Peer does not recognize and trust the CA that >> issued your certificate." >> >> I tried to fix trust by adding various certificates with certutil >> to /etc/dirsrv/slapd/ and /etc/pki/pki-tomcat/alias/, but nothing >> helped. Does anyone have a suggestion how to fix the situation? >> > > You shouldn't need to change anything on the 389-ds side assuming it > trusts its own CA properly. > > You should just need to add the CA that signed the 389-ds cert to dogtag > and restart. What is full certutil command you are using? Here is a command: certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n "External CA" -i /root/ca.pem Also I tried to add intermediate CA with the following: certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n "External Sub CA" -i /root/sub.pem External CA file is correct, I verified it with "openssl s_client -CAfile /root/ca.pem -connect ipa.mydomain.com:636" -- Best regards, Vladimir Kulev Mobile: +358400369346, +79215554422 Jabber: m...@lightoze.net Skype: lightoze
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users