Hi,
it looks like the NSS db for slapd-ABX-com does not contain the full
cert chain. You can run certutil -L -d /etc/dirsv/slapd-ABX-com and
check if there is a certificate for your issuer, and if it has the C,,
flags at least.
For instance, in my setup I am using ca2/server certificate for slapd,
and this certificate was issued by ca2:
$ certutil -L -d /etc/dirsrv/slapd-xxx
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ca2/server u,u,u
ca2 C,,
Flo.
On 06/29/2016 12:26 PM, barry...@gmail.com wrote:
It is 3.0 version cannot use those commands.
2016-06-25 2:06 GMT+08:00 Florence Blanc-Renaud <fren...@redhat.com
<mailto:fren...@redhat.com>>:
Hi
Disclaimer: I'm new on this mailing list but willing to share
experience :)
Did you use "ipa-cacert-manage install -t C,," to install your
external CA certificate? This command copies the certificate in
cn=certificates,cn=ipa,cn=etc,dc=xxx
After this, you can use ipa-certupdate which will put the CA cert in
all the needed NSS databases and update the nickname where needed.
Flo.
On 06/23/2016 04:54 AM, barry...@gmail.com
<mailto:barry...@gmail.com> wrote:
Hi :
I renew External CA cert below ...seem server-cert ok.
But ca CERT FAIL..
I ALREADY PASTE ON
/etc/httpd/alias
/etc/dirsrv/slapd-PKI-IPA
/etc/dirsv/slapd-ABX-com
/var/lib/pki-ca/alias 's CA conf
any idea?
ABX-COM...[23/Jun/2016:10:42:32 +0800] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable
Runtime error -8179 - Peer's Certificate issuer is not recognized.)
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
