seli irithyl wrote:
Yes, you're right, I was also surprised by the subject of the error.
I made changes in the /etc/httpd/conf.d/nss.conf file.
I changed
Listen 443 to Listen 8443
and
<VirtualHost _default_:443> to <VirtualHost _default_:8443>
as it was in the /etc/httpd/conf.d/nss.conf file before the update.


You have to change it back. mod_nss must listen on 443.

rob


On Fri, Jun 3, 2016 at 3:30 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    seli irithyl wrote:

        # getcert list
        returns 9 request ID. All 9 are in status "MONITORING" and
        expire after
        2017.
        So no expired certificate.

        Number of certificates and requests being tracked: 9.

    [snip]

        Request ID '20150313092456':
              status: MONITORING
              stuck: no
              key pair storage:
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
        Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
              certificate:
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
        Certificate DB'
              CA: IPA
              issuer: CN=Certificate Authority,O=BIOINF.LOCAL
              subject: CN=lead.bioinf.local,O=BIOINF.LOCAL
              expires: 2017-03-13 09:24:56 UTC
              key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
              eku: id-kp-serverAuth,id-kp-clientAuth
              pre-save command:
              post-save command: /usr/lib64/ipa/certmonger/restart_httpd
              track: yes
              auto-renew: yes


    [ more snip ]

             > Unfortunately when trying to run any ipa command:
             > [root@lead ~]# ipa service-find lead.bioinf.local
             > ipa: ERROR: cert validation failed for
             >
        
"E=root@lead.bioinf.local,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--"
             > ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.)
             > ipa: ERROR: cannot connect to
        'https://lead.bioinf.local/ipa/json':
             > (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.


    Note that the subject of the certmonger-tracked certificate is
    different from the subject reported in the error. This looks like a
    default mod_ssl-generated certificate to me. Did you tweak your
    Apache config?

    rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to