Yes, you're right, I was also surprised by the subject of the error.
I made changes in the /etc/httpd/conf.d/nss.conf file.
I changed
Listen 443 to Listen 8443
and
<VirtualHost _default_:443> to <VirtualHost _default_:8443>
as it was in the /etc/httpd/conf.d/nss.conf file before the update.

On Fri, Jun 3, 2016 at 3:30 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> seli irithyl wrote:
>
>> # getcert list
>> returns 9 request ID. All 9 are in status "MONITORING" and expire after
>> 2017.
>> So no expired certificate.
>>
>> Number of certificates and requests being tracked: 9.
>>
> [snip]
>
>> Request ID '20150313092456':
>>      status: MONITORING
>>      stuck: no
>>      key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>      certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>      CA: IPA
>>      issuer: CN=Certificate Authority,O=BIOINF.LOCAL
>>      subject: CN=lead.bioinf.local,O=BIOINF.LOCAL
>>      expires: 2017-03-13 09:24:56 UTC
>>      key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>      eku: id-kp-serverAuth,id-kp-clientAuth
>>      pre-save command:
>>      post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>      track: yes
>>      auto-renew: yes
>>
>
> [ more snip ]
>
>>     > Unfortunately when trying to run any ipa command:
>>     > [root@lead ~]# ipa service-find lead.bioinf.local
>>     > ipa: ERROR: cert validation failed for
>>     > "E=root@lead.bioinf.local
>> ,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--"
>>     > ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.)
>>     > ipa: ERROR: cannot connect to 'https://lead.bioinf.local/ipa/json':
>>     > (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.
>>
>
> Note that the subject of the certmonger-tracked certificate is different
> from the subject reported in the error. This looks like a default
> mod_ssl-generated certificate to me. Did you tweak your Apache config?
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to