Vladimir Kulev wrote:
On Thu, Aug 15, 2013 at 3:58 PM, Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote: Vladimir Kulev wrote: Hello, After installing FreeIPA I followed instructions from http://www.freeipa.org/page/__Using_3rd_part_certificates___for_HTTP/LDAP <http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP> to use globally trusted certificates for HTTP/LDAP server interface to secure other systems provisioning. What version of IPA? FreeIPA version is 3.2.2-1.fc19, the latest for Fedora 19 Then it went out that pki-tomcatd is not able to start anymore because of this: | NFO: Deploying web application directory /var/lib/pki/pki-tomcat/__webapps/ca | SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback | SSLAuthenticatorWithFallback: Setting container | SSLAuthenticatorWithFallback: Initializing authenticators | SSLAuthenticatorWithFallback: Starting authenticators | 01:48:31,313 DEBUG (org.jboss.resteasy.plugins.__providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true | 01:48:31,320 DEBUG (org.jboss.resteasy.plugins.__providers.DocumentProvider:60) - Unable to retrieve ServletContext: expandEntityReferences defaults to true | Internal Database Error encountered: Could not connect to LDAP server host ipa.mydomain.com <http://ipa.mydomain.com> <http://ipa.mydomain.com/> port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) Meanwhile dirsrv tells me "Peer does not recognize and trust the CA that issued your certificate." I tried to fix trust by adding various certificates with certutil to /etc/dirsrv/slapd/ and /etc/pki/pki-tomcat/alias/, but nothing helped. Does anyone have a suggestion how to fix the situation? You shouldn't need to change anything on the 389-ds side assuming it trusts its own CA properly. You should just need to add the CA that signed the 389-ds cert to dogtag and restart. What is full certutil command you are using? Here is a command: certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n "External CA" -i /root/ca.pem Also I tried to add intermediate CA with the following: certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n "External Sub CA" -i /root/sub.pem External CA file is correct, I verified it with "openssl s_client -CAfile /root/ca.pem -connect ipa.mydomain.com:636 <http://ipa.mydomain.com:636>"
You should drop the sql prefix. This is creating a new cert and key database (you'll see a new cert9 and key4.db there). I don't believe that dogtag uses the sql prefix yet so it won't see the new certs you added.
You should also set the trust flags on all intermediate certs as well. rob _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users