seli irithyl wrote:
Yes, you're right, I was also surprised by the subject of the error.
I made changes in the /etc/httpd/conf.d/nss.conf file.
I changed
Listen 443 to Listen 8443
<VirtualHost _default_:443> to <VirtualHost _default_:8443>
as it was in the /etc/httpd/conf.d/nss.conf file before the update.

You have to change it back. mod_nss must listen on 443.


On Fri, Jun 3, 2016 at 3:30 PM, Rob Crittenden <
<>> wrote:

    seli irithyl wrote:

        # getcert list
        returns 9 request ID. All 9 are in status "MONITORING" and
        expire after
        So no expired certificate.

        Number of certificates and requests being tracked: 9.


        Request ID '20150313092456':
              status: MONITORING
              stuck: no
              key pair storage:
        Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        Certificate DB'
              CA: IPA
              issuer: CN=Certificate Authority,O=BIOINF.LOCAL
              subject: CN=lead.bioinf.local,O=BIOINF.LOCAL
              expires: 2017-03-13 09:24:56 UTC
              key usage:
              eku: id-kp-serverAuth,id-kp-clientAuth
              pre-save command:
              post-save command: /usr/lib64/ipa/certmonger/restart_httpd
              track: yes
              auto-renew: yes

    [ more snip ]

             > Unfortunately when trying to run any ipa command:
             > [root@lead ~]# ipa service-find lead.bioinf.local
             > ipa: ERROR: cert validation failed for
             > ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.)
             > ipa: ERROR: cannot connect to
             > (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.

    Note that the subject of the certmonger-tracked certificate is
    different from the subject reported in the error. This looks like a
    default mod_ssl-generated certificate to me. Did you tweak your
    Apache config?


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to