Hello David,

Am Donnerstag, 26. Mai 2016, 08:09:17 CEST schrieb David Kupka:
> On 26/05/16 07:42, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > can any help to find the correct way to configure a Webserver with IPA.
> > (mod_nss)
> > 
> > I can't create a correct DB in /etc/httpd/alias
> > 
> > I search on the INet and read the install Log from ipa-server but it is
> > for me not possible to found a working way :-(.
> > 
> > Thanks for a answer ?
> 
> Hello Günther,
> 
> I'm not sure if I understand your question. What I take from you message is:
> 
> I want a IPA webserver with NSSDB in /etc/httpd/alias.

;-) No and Yes.

I want a new  WEBSERVER on a ipa-client with IPA Certificate ?

Afterward I like to create a "DANE" Entry from this Certificate for this 
webserver ?

Bat I fail with the first configuration
 
> The answer then is:
> 
> ipa-server-install creates that DB for apache and populates it with
> certificates. So there is nothing to do.

Yes, and I can't found the way IPA  create this ...
 
>  From one of my test servers:
> 
> # certutil -d /etc/httpd/alias/ -L
> 
> Certificate Nickname                                         Trust
> Attributes
> 
> SSL,S/MIME,JAR/XPI
> 
> ipaCert                                                      u,u,u
> Server-Cert                                                  u,u,u
> EXAMPLE.TEST IPA CA                                       CT,C,C
> Signing-Cert                                                 u,u,u
> 
> 
> If this is not what you was asking please try to explain what you want
> to achieve with more details.

Thanks David for the answer,

I have on the Master also

Signing-Cert                                                 u,u,u
ipaCert                                                      u,u,u
Server-Cert                                                  u,u,u
XXXX.XXX CA                                              CT,C,C

and on the replica this,

Server-Cert                                                  u,u,u
XXXX.XXX IPA CA                                              CT,C,C
ipaCert                                                      u,u,u

I mean I must have a NSSDB like this from the replica, on my Webserver ? 

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to