On Thu, Aug 15, 2013 at 6:23 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Here is a command:
>> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n "External
>> CA" -i /root/ca.pem
>>
>> Also I tried to add intermediate CA with the following:
>> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n "External Sub
>> CA" -i /root/sub.pem
>>
>> External CA file is correct, I verified it with "openssl s_client
>> -CAfile /root/ca.pem -connect ipa.mydomain.com:636
>> <http://ipa.mydomain.com:636>"
>>
>
> You should drop the sql prefix. This is creating a new cert and key
> database (you'll see a new cert9 and key4.db there). I don't believe that
> dogtag uses the sql prefix yet so it won't see the new certs you added.
>
> You should also set the trust flags on all intermediate certs as well.


You are right, lsof shows that java process opens only cert8.db and key3.db
I did as you say, and dirsrv log output changed to "Netscape Portable
Runtime error -8179 (Peer's Certificate issuer is not recognized.);
unauthenticated client"

Then I in addition ran this command:
certutil -d /etc/dirsrv/slapd-MYDOMAIN-COM/ -A -t "CT,C,C" -n "IPA CA" -i
/etc/ipa/ca.crt

And eventually it worked!

So there were two problems:
1) ipa-server-certinstall removed IPA CA from dirsrv nssdb (by replacing it)
2) ipa-server-certinstall did not add new dirsrv CA into pki-tomcatd nssdb

Hope you can fix that either in documentation or tools :)


-- 

Best regards,

Vladimir Kulev


Mobile: +358400369346, +79215554422

Jabber: m...@lightoze.net

Skype: lightoze
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to