On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:
Freeipa 4.3.1

I have now install a 3rd Party Certificat from Startcom now my IPA is total
I make this

ipa-cacert-manage -p 'xxxxxxxxxxxxxxxx' -n STARTCOM-ROOT -t C,, install


ipa-server-certinstall -w -d ipa_3rd_ca.p12

I create this p12 with key.pem, cert.pem root.crt

I insert also in the cert.pem the intermediate.crt


there were some issues with ipa-server-certinstall (see tickets #4785, #4786 and #6263). In order to check your configuration, you must make sure that the NSS DBs for Apache and the LDAP server (/etc/httpd/alias, /var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain: - the server certificate with flags u,u,u (= the one contained in ipa_3rd_ca.p12) - the certificate of the CA which signed the server certificate, with flags C,, (= the one contained in root.rt)

Then you can also check if the nickname for the server cert is properly set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute nsSSLPersonalitySSL).

If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may provide more information.

Also note that it is important to run ipa-certupdate on all the clients and replicas in order to install the new certificates in the NSS DBs *before* you run ipa-server-certinstall.

Hope this helps,

the kerberos don't start anymore ?
The Error Is
 Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm

after insert in nss.conf
"NSSEnforceValidCerts off"

ipactl restart  is starting (?) but

ipactl status tell me
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

with certutil -d /etc/httpd/alias -L I have now this
Certificate Nickname                                         Trust Attributes

Signing-Cert                                                 u,u,u
4GJN_CA_FILE                                                 u,u,u
ipaCert                                                      u,u,u
4GJN.COM IPA CA                                              CT,C,C
STARTCOM-ROOT                                                C,,

I can  Insert in nss.conf by the
#NSSNickname "Signing-Cert" original
NSSNickname 4GJN_CA_FILE but all is now broken ?

I also add this, found in Bugzilla
 certutil -d /var/lib/pki/pki-tomcat/alias -L

Certificate Nickname                                         Trust Attributes

ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
STARTCOM-ROOT                                                CT,,

this is created in the

certutil -d /etc/dirsrv/slapd-4GJN.COM -L

Certificate Nickname                                         Trust Attributes

4GJN_CA_FILE                                                 u,u,u
4GJN.COM IPA CA                                              CT,C,C
STARTCOM-ROOT                                                C,,

Can any help a little, please ;-)

The bad Problem, I tested this with my master server with DNS / DNSSEC I can't
new install (DNSSEC Keys)

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to