On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:
Hello,
Freeipa 4.3.1
I have now install a 3rd Party Certificat from Startcom now my IPA is total
broken?
I make this
ipa-cacert-manage -p 'xxxxxxxxxxxxxxxx' -n STARTCOM-ROOT -t C,, install
root.crt
ipa-certupdate
ipa-server-certinstall -w -d ipa_3rd_ca.p12
I create this p12 with key.pem, cert.pem root.crt
I insert also in the cert.pem the intermediate.crt
Hi,
there were some issues with ipa-server-certinstall (see tickets #4785,
#4786 and #6263).
In order to check your configuration, you must make sure that the NSS
DBs for Apache and the LDAP server (/etc/httpd/alias,
/var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain:
- the server certificate with flags u,u,u (= the one contained in
ipa_3rd_ca.p12)
- the certificate of the CA which signed the server certificate, with
flags C,, (= the one contained in root.rt)
Then you can also check if the nickname for the server cert is properly
set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in
the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute
nsSSLPersonalitySSL).
If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may
provide more information.
Also note that it is important to run ipa-certupdate on all the clients
and replicas in order to install the new certificates in the NSS DBs
*before* you run ipa-server-certinstall.
Hope this helps,
Flo.
the kerberos don't start anymore ?
The Error Is
Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm
'4GJN.COM'
after insert in nss.conf
"NSSEnforceValidCerts off"
ipactl restart is starting (?) but
ipactl status tell me
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
with certutil -d /etc/httpd/alias -L I have now this
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
4GJN_CA_FILE u,u,u
ipaCert u,u,u
4GJN.COM IPA CA CT,C,C
STARTCOM-ROOT C,,
I can Insert in nss.conf by the
#NSSNickname "Signing-Cert" original
or
NSSNickname 4GJN_CA_FILE but all is now broken ?
I also add this, found in Bugzilla
certutil -d /var/lib/pki/pki-tomcat/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
STARTCOM-ROOT CT,,
this is created in the
certutil -d /etc/dirsrv/slapd-4GJN.COM -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
4GJN_CA_FILE u,u,u
4GJN.COM IPA CA CT,C,C
STARTCOM-ROOT C,,
Can any help a little, please ;-)
The bad Problem, I tested this with my master server with DNS / DNSSEC I can't
new install (DNSSEC Keys)
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
