Hello, Freeipa 4.3.1 I have now install a 3rd Party Certificat from Startcom now my IPA is total broken? I make this
ipa-cacert-manage -p 'xxxxxxxxxxxxxxxx' -n STARTCOM-ROOT -t C,, install root.crt ipa-certupdate ipa-server-certinstall -w -d ipa_3rd_ca.p12 I create this p12 with key.pem, cert.pem root.crt I insert also in the cert.pem the intermediate.crt the kerberos don't start anymore ? The Error Is Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm '4GJN.COM' after insert in nss.conf "NSSEnforceValidCerts off" ipactl restart is starting (?) but ipactl status tell me Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful with certutil -d /etc/httpd/alias -L I have now this Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u 4GJN_CA_FILE u,u,u ipaCert u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOT C,, I can Insert in nss.conf by the #NSSNickname "Signing-Cert" original or NSSNickname 4GJN_CA_FILE but all is now broken ? I also add this, found in Bugzilla certutil -d /var/lib/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu STARTCOM-ROOT CT,, this is created in the certutil -d /etc/dirsrv/slapd-4GJN.COM -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI 4GJN_CA_FILE u,u,u 4GJN.COM IPA CA CT,C,C STARTCOM-ROOT C,, Can any help a little, please ;-) The bad Problem, I tested this with my master server with DNS / DNSSEC I can't new install (DNSSEC Keys) -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project