Prashant Bapat wrote:
Thanks for the reply.
The ipa-server-certinstalldid require that I have the cert and the CA
cert in PEM file and the key in another PEM file. And the command went
But afterwards the HTTP service stopped working. Only way I could get it
to start again was to set NSSEnforceValidCerts offin
Below is the error message from the logs.
[Sun Jun 21 09:46:09.188241 2015] [:info] [pid 3803] Initializing SSL
Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Sun Jun 21 09:46:09.444378 2015] [:info] [pid 3803] Init: Seeding PRNG
with 144 bytes of entropy
[Sun Jun 21 09:46:09.444395 2015] [:info] [pid 3803] Init: Initializing
(virtual) servers for SSL
[Sun Jun 21 09:46:09.454700 2015] [:error] [pid 3803] SSL Library Error:
-8102 Certificate key usage inadequate for attempted operation.
[Sun Jun 21 09:46:09.454757 2015] [:error] [pid 3803] Unable to verify
certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
so the server can start until the problem can be resolved.
The error is that you are trying to use a certificate for SSL that
doesn't have the usage flags to allow being used as a server. The
nickname Signing-Cert suggests this is an object-signing cert. I'd
suggest using certutil to look at the NSS database in /etc/httpd/alias
to see what certs are installed and reconfigure mod_nss to use the
On the turning off SSL, I did try with what you are suggesting. A load
balancer with the commercial CA and HTTPS from LB to the server behind
it and it work! Only problem is, I will have to have have 1 each load
balancer for each of the servers. This is because I used naming like
ipa.example.com <http://ipa.example.com> and ipa2.example.com
<http://ipa2.example.com> etc for the IPA servers. These are all
replicas and their name has to match whats on the LB.
Why not get a 3rd party cert with multiple SAN, one for each IPA master?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project