barry...@gmail.com wrote:
Where is it ?
Could u advise ?
My old cert is godady
And.new cert is combro


Please keep responses on the list.

$ ldapsearch -LLL -x -D 'cn=directory manager' -W -b cn=RSA,cn=encryption,cn=config nsSSLPersonalitySSL

If the result doesn't match the nickname of your new cert then your simplest solution is:

# ipactl stop
# <favorite editor> /etc/dirsrv/slapd-REALM/dse.ldif

Find nsSSLPersonalitySSL and replace the value with the right one.

# ipactl start

rob

2015年7月6日 下午11:52於 "Rob Crittenden" <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>寫道:
 >
 > barry...@gmail.com <mailto:barry...@gmail.com> wrote:
 >>
 >> Where can i check.the config of nss?
 >>
 >> I.modified the nssdb and imported.cert successfully.
 >>
 >> should i change any ldif?
 >
 >
 > I already told you in my initial reply:
 >
 >
 > Check the value of nsSSLPersonalitySSL in
cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server
certificate to use.
 >
 > rob
 >
 >>
 >> Many thks
 >>
 >> 2015年7月6日 下午11:44於 "Rob Crittenden" <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>
 >> <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>寫道:
 >>
 >>
 >> barry...@gmail.com <mailto:barry...@gmail.com>
<mailto:barry...@gmail.com <mailto:barry...@gmail.com>> wrote:
 >>
 >>         Do u meant this :
 >>
 >>         i already add the cert to nss and even \etc\ipa\ ca.cert
repalced
 >>
 >>
 >>         [root@(LIVE) slapd-Wwww-COM]$   certutil -d /etc/pki/nssdb  -L
 >>
 >>         Certificate Nickname
  Trust
 >>         Attributes
 >>
 >>         SSL,S/MIME,JAR/XPI
 >>
 >>         COMODO RSA Domain Validation Secure Server CA
CT,C,C
 >>         IPA CA
  CT,C,C
 >>         COMODO RSA Certification Authority
  CT,C,C
 >>
 >>
 >>     This has no relationship to the error you're seeing. This database
 >>     is not used by either Apache or 389-ds.
 >>
 >>     NSS uses nicknames to reference a given certificate. This nickname
 >>     needs to exist in it's database. I'm guessing that you changed the
 >>     database, and therefore the nickname in the database, without also
 >>     updating the server configuration with this new nickname.
 >>
 >>     rob
 >>
 >>
 >>
 >>         2015-07-06 21:39 GMT+08:00 Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
 >>         <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
 >>         <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>:
 >>
 >> barry...@gmail.com <mailto:barry...@gmail.com>
<mailto:barry...@gmail.com <mailto:barry...@gmail.com>>
 >>
 >>         <mailto:barry...@gmail.com <mailto:barry...@gmail.com>
<mailto:barry...@gmail.com <mailto:barry...@gmail.com>>> wrote:
 >>
 >>                  the cert already in httpd / ldap side. but it
prompt error
 >>
 >>                  [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the
 >>         cipher
 >>                  are valid
 >>                  [06/Jul/2015:19:59:16 +0800] - ERROR: SSL
 >>         Initialization phase 2
 >>                  Failed.
 >>
 >>                  *.wisers.com <http://wisers.com>
<http://wisers.com> <http://wisers.com>
 >>         <http://wisers.com> - COMODO CA
 >>                  Limited                             u,u,u
 >>                  COMODO RSA Domain Validation Secure Server CA
 >>                CT,C,C
 >>                  COMODO RSA Certification Authority
 >>               CT,C,C
 >>
 >>
 >>              Taking a wild guess here due to limited information, but
 >>         check the
 >>              value of nsSSLPersonalitySSL in
 >>         cn=RSA,cn=encryption,cn=config. This
 >>              is the NSS nickname of the server certificate to use.
 >>
 >>              rob
 >>
 >>
 >>
 >>                  2015-07-06 20:01 GMT+08:00 <barry...@gmail.com
<mailto:barry...@gmail.com>
 >>         <mailto:barry...@gmail.com <mailto:barry...@gmail.com>>
 >>                  <mailto:barry...@gmail.com
<mailto:barry...@gmail.com> <mailto:barry...@gmail.com
<mailto:barry...@gmail.com>>>
 >>         <mailto:barry...@gmail.com <mailto:barry...@gmail.com>
<mailto:barry...@gmail.com <mailto:barry...@gmail.com>>
 >>                  <mailto:barry...@gmail.com
<mailto:barry...@gmail.com> <mailto:barry...@gmail.com
<mailto:barry...@gmail.com>>>>>:
 >>
 >>
 >>                       hi:
 >>
 >>                       i changed cert lareadty but seemit still keep
 >>         hisoty of
 >>                  godadday any
 >>                       help.??
 >>
 >>
 >>                       www-COM...[06/Jul/2015:19:59:15 +0800] - SSL
 >>         alert: Security
 >>                       Initialization: Can't find certificate (*.wwwcom -
 >>         GoDaddy.com,
 >>                       Inc.) for family cn=RSA,cn=encryption,cn=config
 >>         (Netscape
 >>                  Portable
 >>                       Runtime error -8174 - security library: bad
database.)
 >>                       [06/Jul/2015:19:59:15 +0800] - SSL alert: Security
 >>                  Initialization:
 >>                       Unable to retrieve private key for cert
*.www.com <http://www.com>
 >>         <http://www.com>
 >>                  <http://www.com> <http://www.com> -
 >>                       GoDaddy.com, Inc. of family
 >>         cn=RSA,cn=encryption,cn=config
 >>                  (Netscape
 >>                       Portable Runtime error -8174 - security library:
 >>         bad database.)
 >>                       [06/Jul/2015:19:59:16 +0800] - SSL failure: None
 >>         of the
 >>                  cipher are valid
 >>                       [06/Jul/2015:19:59:16 +0800] - ERROR: SSL
 >>         Initialization
 >>                  phase 2 Failed.
 >>
 >>
 >>
 >>
 >>
 >>
 >>
 >


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to