I tried to install a wildcard SSL certificate for HTTP/LDAP in our
FreeIPA 4.1 (Centos 7.1) installation by following instructions from
wiki page at
# ipa-server-certinstall -w -d shdc01.ipa.wandisco.com.pem
Directory Manager password:
Enter private key unlock password:
Command /usr/bin/certutil' '-d' '/etc/httpd/alias' '-D' '-n'
'Server-Cert returned non-zero exit status 255
After this I was unable to start httpd service, error_log revealed the
following error messages:
[Wed Nov 25 18:15:44.262751 2015] [:error] [pid 22124] Certificate not
In order to resurrect the service I had to change NSSNickname in
/etc/httpd/conf.d/nss.conf to match the new certificate's nickname.
Although the httpd service started, I couldn't get into Authentication
tab in FreeIPA UI - I kept getting the following error message: "Unable
to communicate with CMS (Service Unavailable)".
[root@shdc01 ~]# yum list installed | grep ipa-server
ipa-server.x86_64 4.1.0-18.el7.centos.4 @updates
[root@shdc01 ~]# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
At this point I was forced to restore our FreeIPA installation from a
snapshot as I wasn't able to fix it (I got some useful hints from
#freeipa Freenode channel however we still didn't manage to fully
resurrect the server).
My question is, what is the correct way of installing a 3rd party
certificate for HTTP/LDAP that will actually work?
Many thanks in advance.
BTW, I also added a comment describing this problem to the ticket at
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project