On 07/10/2015 04:36 PM, Natxo Asenjo wrote:
hi,
earlier today I was reading a post about the new freeipa version on my mobile
device and got plenty of warnings about an invalid certificate. On a fedora
laptop no warnings, but this is the problem:
$ curl -LIv https://www.freeipa.org
* Rebuilt URL to: https://www.freeipa.org/
* Hostname was NOT found in DNS cache
* Trying 54.227.25.77...
* Connected to www.freeipa.org <http://www.freeipa.org> (54.227.25.77) port 443
(#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=www.freeipa.org <http://www.freeipa.org>,O=Red Hat
Inc.,L=Raleigh,ST=North Carolina,C=US
* start date: Jul 16 00:00:00 2014 GMT
* expire date: Jul 19 12:00:00 2016 GMT
* common name: www.freeipa.org <http://www.freeipa.org>
* issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com
<http://www.digicert.com>,O=DigiCert Inc,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
You need to add the intermediate digicert certrificate, it seems.
Hello natxo,
Sorry for the late reply, I just returned from a longer PTO... I checked the
site and finally figured out how to stuff the intermediate certificate to our
OpenShift instance.
The issue now appears to be fixed, please try it and push back if it isn't :-)
Enjoy!
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
