Can confirm nss.conf has NSSNickname set to Signing-Cert. I set the nickname of the Root CA issuing the 3rd party Certs to "LetsEncrypt_X1"
On Wed, Oct 12, 2016 at 10:57 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Joshua Ruybal wrote: > >> Hi, >> >> I'm trying to add 3rd party certs for the webgui and ldap as documented >> here: https://www.freeipa.org/page/Using_3rd_part_certificates_for >> _HTTP/LDAP >> >> I'm able to add the CA cert. >> >> Then add the chained cert and key via ipa-server-certinstall tool. >> However when I try to restart httpd, it fails and I get the following >> error in the logs. >> >> >> [Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232: >> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) >> [Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init: >> (ipa-test.example.com:443 <http://ipa-test.example.com:443>) You >> configured HTTP(80) on the standard HTTPS(443) port! >> [Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598] >> NSSSessionCacheTimeout is deprecated. Ignoring. >> [Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error: >> -8102 Certificate key usage inadequate for attempted operation. >> [Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify >> certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf >> so the server can start until the problem can be resolved. >> >> >> I've looked into the key, but everything seems to work as expected. >> >> Has anyone seen this before? >> >> Environment: >> IPA VERSION: 4.2.0, API_VERSION: 2.156 >> CentOS 7.2 >> > > You set NSSNickname to Signing-Cert? What is the nickname of the cert you > imported? > > # certutil -L -d /etc/httpd/alias > > rob > > -- <http://www.owneriq.com/> *Joshua Ruybal | Systems Engineer* o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549> e: jruy...@owneriq.com <https://www.linkedin.com/company/owneriq-inc.> <https://www.facebook.com/OwnerIQ> <https://twitter.com/owneriq> <http://www.owneriq.com/blog/>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project