Vladimir Kulev wrote:

On Thu, Aug 15, 2013 at 3:58 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Vladimir Kulev wrote:

        Hello,

        After installing FreeIPA I followed instructions from
        
http://www.freeipa.org/page/__Using_3rd_part_certificates___for_HTTP/LDAP
        <http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>
        to
        use globally trusted certificates for HTTP/LDAP server interface to
        secure other systems provisioning.


    What version of IPA?


FreeIPA version is 3.2.2-1.fc19, the latest for Fedora 19


        Then it went out that pki-tomcatd is not able to start anymore
        because
        of this:
        | NFO: Deploying web application directory
        /var/lib/pki/pki-tomcat/__webapps/ca
        | SSLAuthenticatorWithFallback: Creating SSL authenticator with
        fallback
        | SSLAuthenticatorWithFallback: Setting container
        | SSLAuthenticatorWithFallback: Initializing authenticators
        | SSLAuthenticatorWithFallback: Starting authenticators
        | 01:48:31,313 DEBUG
        (org.jboss.resteasy.plugins.__providers.DocumentProvider:60) -
        Unable to
        retrieve ServletContext: expandEntityReferences defaults to true
        | 01:48:31,320 DEBUG
        (org.jboss.resteasy.plugins.__providers.DocumentProvider:60) -
        Unable to
        retrieve ServletContext: expandEntityReferences defaults to true
        | Internal Database Error encountered: Could not connect to LDAP
        server
        host ipa.mydomain.com <http://ipa.mydomain.com>
        <http://ipa.mydomain.com/> port 636 Error

        netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)

        Meanwhile dirsrv tells me "Peer does not recognize and trust the
        CA that
        issued your certificate."

        I tried to fix trust by adding various certificates with certutil
        to /etc/dirsrv/slapd/ and /etc/pki/pki-tomcat/alias/, but nothing
        helped. Does anyone have a suggestion how to fix the situation?


    You shouldn't need to change anything on the 389-ds side assuming it
    trusts its own CA properly.

    You should just need to add the CA that signed the 389-ds cert to
    dogtag and restart. What is full certutil command you are using?


Here is a command:
certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n "External
CA" -i /root/ca.pem

Also I tried to add intermediate CA with the following:
certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n "External Sub
CA" -i /root/sub.pem

External CA file is correct, I verified it with "openssl s_client
-CAfile /root/ca.pem -connect ipa.mydomain.com:636
<http://ipa.mydomain.com:636>"

You should drop the sql prefix. This is creating a new cert and key database (you'll see a new cert9 and key4.db there). I don't believe that dogtag uses the sql prefix yet so it won't see the new certs you added.

You should also set the trust flags on all intermediate certs as well.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to