I found the reason for the failure of the installation.

The script uses a NSS db locate under /tmp:

Certificate Nickname                                         Trust Attributes

ipa-ca-agent                                                 u,u,u
Certificate Authority - dbmsrl.com                           ,,c  
D.B.M. CA - dbmsrl.com                                       c,c, 
testnick                                                     P,,  

The trust attributes are strange (not trusted) and the chain is broken:

[root@dbm13 cert]# certutil -d [temp db] -O -n "Certificate Authority - 
"D.B.M. CA - dbmsrl.com" [O=dbmsrl.com,OU=office,OU=services,CN=D.B.M. CA]

  "Certificate Authority - dbmsrl.com" [CN=Certificate Authority,O=DBMSRL.COM]

[root@dbm13 cert]# certutil -d [temp db] -O -n "ipa-ca-agent"
"ipa-ca-agent" [CN=ipa-ca-agent,O=DBMSRL.COM]

I try to export all the certificates in PEM format, if i check the signature 
with openssl all work perfectly...

The chain is valid, but NSS don't see it for "ipa-ca-agent" certificate.

(sslget return "SSL_ERROR_UNKNOWN_CA_ALERT" when the script try to use this 

Now i know what is the problem, but i don't know how fix it XD

Can anyone help me?

Thank you

Freeipa-users mailing list

Reply via email to