On 08/23/2016 10:25 PM, Z D wrote: > Hi there, is it possible to have a cert (say from VeriSign) for a IPA host > and > use it for httpd (Web GUI), without breaking anything else? I've acquired one > and added it to nssdb (/etc/httpd/alias). > > > # certutil -L -d /etc/httpd/alias > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > ipaCert u,u,u > Server-Cert u,u,u > COMP.COM IPA CA CT,C,C > Signing-Cert u,u,u > CA-LDAP01-CHAINED u,u,u > Comp SSL CA - G2 - VeriSign, Inc. ,, > > > It's now used in /etc/httpd/conf.d/nss.conf and the cert looks good via a > browser. But it's breaking something, since I see this: > > # ipa user-show admin > ipa: ERROR: cert validation failed for > "CN=ca-ldap01.comp.com,OU=Corp,O=Corporation,L=City,ST=California,C=US" > ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as > not > trusted by the user.) > ipa: ERROR: cannot connect to 'https://ca-ldap01.comp.com/ipa/json': > (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not > trusted by the user. > > > Adding this cert to /etc/dirsrv/slapd-CORP-COM/ nssdb didn't resolve the > issue. > Thanks for any advice. > > Zarko > > >
The recommended procedure is to use ipa-server-certinall utility: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP But in recent versions of Fedora and RHEL it still suffers from https://bugzilla.redhat.com/show_bug.cgi?id=1360813 The bugzilla nicely outlines the necessary manual workarounds. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
