Prashant Bapat wrote:
Hi Rob,

Thanks for the reply.

The ipa-server-certinstalldid require that I have the cert and the CA
cert in PEM file and the key in another PEM file. And the command went
thru successfully.

But afterwards the HTTP service stopped working. Only way I could get it
to start again was to set NSSEnforceValidCerts offin
/etc/httpd/conf.d/nss.conf.

Below is the error message from the logs.

[Sun Jun 21 09:46:09.188241 2015] [:info] [pid 3803] Initializing SSL
Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Sun Jun 21 09:46:09.444378 2015] [:info] [pid 3803] Init: Seeding PRNG
with 144 bytes of entropy
[Sun Jun 21 09:46:09.444395 2015] [:info] [pid 3803] Init: Initializing
(virtual) servers for SSL
[Sun Jun 21 09:46:09.454700 2015] [:error] [pid 3803] SSL Library Error:
-8102 Certificate key usage inadequate for attempted operation.
[Sun Jun 21 09:46:09.454757 2015] [:error] [pid 3803] Unable to verify
certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
so the server can start until the problem can be resolved.

The error is that you are trying to use a certificate for SSL that doesn't have the usage flags to allow being used as a server. The nickname Signing-Cert suggests this is an object-signing cert. I'd suggest using certutil to look at the NSS database in /etc/httpd/alias to see what certs are installed and reconfigure mod_nss to use the correct nickname.

On the turning off SSL, I did try with what you are suggesting. A load
balancer with the commercial CA and HTTPS from LB to the server behind
it and it work! Only problem is, I will have to have have 1 each load
balancer for each of the servers. This is because I used naming like
ipa.example.com <http://ipa.example.com> and ipa2.example.com
<http://ipa2.example.com> etc for the IPA servers. These are all
replicas and their name has to match whats on the LB.

Why not get a 3rd party cert with multiple SAN, one for each IPA master?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to