Vladimir Kulev wrote:

On Thu, Aug 15, 2013 at 6:23 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

        Here is a command:
        certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n
        "External
        CA" -i /root/ca.pem

        Also I tried to add intermediate CA with the following:
        certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n
        "External Sub
        CA" -i /root/sub.pem

        External CA file is correct, I verified it with "openssl s_client
        -CAfile /root/ca.pem -connect ipa.mydomain.com:636
        <http://ipa.mydomain.com:636>
        <http://ipa.mydomain.com:636>"


    You should drop the sql prefix. This is creating a new cert and key
    database (you'll see a new cert9 and key4.db there). I don't believe
    that dogtag uses the sql prefix yet so it won't see the new certs
    you added.

    You should also set the trust flags on all intermediate certs as well.


You are right, lsof shows that java process opens only cert8.db and key3.db
I did as you say, and dirsrv log output changed to "Netscape Portable
Runtime error -8179 (Peer's Certificate issuer is not recognized.);
unauthenticated client"

Then I in addition ran this command:
certutil -d /etc/dirsrv/slapd-MYDOMAIN-COM/ -A -t "CT,C,C" -n "IPA CA"
-i /etc/ipa/ca.crt

And eventually it worked!

So there were two problems:
1) ipa-server-certinstall removed IPA CA from dirsrv nssdb (by replacing it)
2) ipa-server-certinstall did not add new dirsrv CA into pki-tomcatd nssdb

Hope you can fix that either in documentation or tools :)

https://fedorahosted.org/freeipa/ticket/3862

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to