Hi,

I'm trying to add 3rd party certs for the webgui and ldap as documented
here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

I'm able to add the CA cert.

Then add the chained cert and key via ipa-server-certinstall tool. However
when I try to restart httpd, it fails and I get the following error in the
logs.


[Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init: (
ipa-test.example.com:443) You configured HTTP(80) on the standard
HTTPS(443) port!
[Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598] NSSSessionCacheTimeout
is deprecated. Ignoring.
[Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error:
-8102 Certificate key usage inadequate for attempted operation.
[Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify
certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be resolved.


I've looked into the key, but everything seems to work as expected.

Has anyone seen this before?

Environment:
IPA VERSION: 4.2.0, API_VERSION: 2.156
CentOS 7.2

Thanks,

--Josh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to