On 08/23/2016 10:25 PM, Z D wrote:
> Hi there, is it possible to have a cert (say from VeriSign) for a IPA host 
> and 
> use it for httpd (Web GUI), without breaking anything else? I've acquired one 
> and added it to nssdb (/etc/httpd/alias).
> 
> 
> # certutil -L -d /etc/httpd/alias
> Certificate Nickname                                         Trust Attributes
>                                                               
> SSL,S/MIME,JAR/XPI
> ipaCert                                                      u,u,u
> Server-Cert                                                  u,u,u
> COMP.COM IPA CA                                         CT,C,C
> Signing-Cert                                                 u,u,u
> CA-LDAP01-CHAINED                                            u,u,u
> Comp SSL CA - G2 - VeriSign, Inc.                          ,,
> 
> 
> It's now used in /etc/httpd/conf.d/nss.conf and the cert looks good via a 
> browser. But it's breaking something, since I see this:
> 
> # ipa user-show admin
> ipa: ERROR: cert validation failed for 
> "CN=ca-ldap01.comp.com,OU=Corp,O=Corporation,L=City,ST=California,C=US" 
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as 
> not 
> trusted by the user.)
> ipa: ERROR: cannot connect to 'https://ca-ldap01.comp.com/ipa/json': 
> (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not 
> trusted by the user.
> 
> 
> Adding this cert to /etc/dirsrv/slapd-CORP-COM/ nssdb didn't resolve the 
> issue. 
> Thanks for any advice.
> 
> Zarko
> 
> 
> 

The recommended procedure is to use ipa-server-certinall utility:
  https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

But in recent versions of Fedora and RHEL it still suffers from
https://bugzilla.redhat.com/show_bug.cgi?id=1360813 The bugzilla nicely
outlines the necessary manual workarounds.



-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to