Op 15/11/2016 om 15:57:59 +0100, schreef Tomas Krizek: > On 11/15/2016 01:47 PM, Leo Baltus wrote: > > Hi, > > > > (first time user, firts post on this ML) > > > > I am setting up ipa-server on a fresh CentOS-7 system. > > > > After running: > > > > /usr/sbin/ipa-server-install -U --realm XXXYYYYY.NL --domain xxxyyyyy.nl \ > > --admin-password foobarxy --ds-password foobarxy \ > > --idstart 5000 \ > > --no-ntp > > > > Connecting my Chrome browser to this machine results in a 'Your > > connection is not private' errorpage. And no option to go the > > insecure way. > > > > Now I have my own CA, created a certifcate keypair with it and I would > > like to import this keypair together with my CA to add trust. > > > > Following > > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > > > ipa-cacert-manage -p foobarxy -n NICKNAME -t C,, install myca.crt > > ipa-certupdate > > ipa-server-certinstall -w -d mysite.key mysite.crt > > > > after running ipa-certupdate again I get: > > > > trying https://lab-k1.xxxyyyyy.nl/ipa/json > > Forwarding 'ca_is_enabled' to json server > > 'https://lab-k1.xxxyyyyy.nl/ipa/json' > > cert validation failed for "CN=Object Signing Cert,O=XXXYYYYY.NL" > > ((SEC_ERROR_INADEQUATE_KEY_USAGE) Certificate key usage inadequate for > > attempted operation.) > > > > On other attempts I get a timeout on ipa-certupdate: > > Resubmitting certmonger request '20161115122715' timed out, please check > > the request manually > > > > Any idea what is going on? Am I using the right docs? > > > > versions: > > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 > > krb5-libs-1.13.2-12.el7_2.x86_64 > > krb5-pkinit-1.13.2-12.el7_2.x86_64 > > krb5-server-1.13.2-12.el7_2.x86_64 > > krb5-workstation-1.13.2-12.el7_2.x86_64 > > libsss_nss_idmap-1.13.0-40.el7_2.12.x86_64 > > mod_nss-1.0.11-6.el7.x86_64 > > nss-3.21.0-9.el7_2.x86_64 > > nss-softokn-3.16.2.3-14.2.el7_2.x86_64 > > nss-softokn-freebl-3.16.2.3-14.2.el7_2.x86_64 > > nss-sysinit-3.21.0-9.el7_2.x86_64 > > nss-tools-3.21.0-9.el7_2.x86_64 > > nss-util-3.21.0-2.2.el7_2.x86_64 > > nss_compat_ossl-0.9.6-8.el7.x86_64 > > openssl-1.0.1e-51.el7_2.7.x86_64 > > openssl-libs-1.0.1e-51.el7_2.7.x86_64 > > pam_krb5-2.4.8-4.el7.x86_64 > > pki-base-10.2.5-10.el7_2.noarch > > pki-ca-10.2.5-10.el7_2.noarch > > pki-kra-10.2.5-10.el7_2.noarch > > pki-server-10.2.5-10.el7_2.noarch > > pki-tools-10.2.5-10.el7_2.x86_64 > > python-nss-0.16.0-3.el7.x86_64 > > sssd-krb5-1.13.0-40.el7_2.12.x86_64 > > sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 > > > Hi, > > can you check if your certificate can be used for an SSL server? You can use > the following command > > openssl x509 -purpose -in mysite.crt >
Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No -- Leo Baltus, internetbeheerder NPO ICT Internet Services Bart de Graaffweg 2, 1217 ZL Hilversum [email protected], 035-6773555 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
