Andrea Bontempi wrote:
I found the reason for the failure of the installation.

The script uses a NSS db locate under /tmp:

-------------------------------------------------------------------------------
Certificate Nickname                                         Trust Attributes
                                                              SSL,S/MIME,JAR/XPI

ipa-ca-agent                                                 u,u,u
Certificate Authority - dbmsrl.com                           ,,c
D.B.M. CA - dbmsrl.com                                       c,c,
testnick                                                     P,,
-------------------------------------------------------------------------------

The trust attributes are strange (not trusted) and the chain is broken:

-------------------------------------------------------------------------------
[root@dbm13 cert]# certutil -d [temp db] -O -n "Certificate Authority - 
dbmsrl.com"
"D.B.M. CA - dbmsrl.com" [O=dbmsrl.com,OU=office,OU=services,CN=D.B.M. CA]

   "Certificate Authority - dbmsrl.com" [CN=Certificate Authority,O=DBMSRL.COM]

[root@dbm13 cert]# certutil -d [temp db] -O -n "ipa-ca-agent"
"ipa-ca-agent" [CN=ipa-ca-agent,O=DBMSRL.COM]
-------------------------------------------------------------------------------

I try to export all the certificates in PEM format, if i check the signature 
with openssl all work perfectly...

The chain is valid, but NSS don't see it for "ipa-ca-agent" certificate.

(sslget return "SSL_ERROR_UNKNOWN_CA_ALERT" when the script try to use this 
certificate.)

Now i know what is the problem, but i don't know how fix it XD

Can anyone help me?

This is basically what I saw too. I'm waiting on someone from the NSS team to get back to me. This must have something to do with the way that OpenSSL validates certs vs NSS. Apparently NSS is being more picky but I don't know why yet.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to