subject:"\[Freeipa\] \[Bug 1813919\] Re\: Incorrect trust flags in NSSDB when renewing subsystem certificates"

[Freeipa] [Bug 1813919] Re: Incorrect trust flags in NSSDB when renewing subsystem certificates

2019-03-04 Thread Launchpad Bug Tracker

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: dogtag-pki (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1813919

Title:
  Incorrect trust flags in NSSDB when renewing subsystem certificates

Status in dogtag-pki package in Ubuntu:
  Confirmed

Bug description:
  OS: ubuntu 18.04
  Dogtag: 10.6.0

  When renewing subsystem certificates in dogtag (by following the
  process described here:
  https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will
  break due to incorrect trust flags in NSS.

  The certificate IDs are:

  'ocsp_signing'(gets 'u,u,u' should get 'CTu,Cu,Cu')
  'ocsp_audit_signing'  (gets 'u,u,u' should get 'u,u,Pu')
  'ca_audit_signing'(gets 'u,u,u' should get 'u,u,Pu')


  To fix this certutil must be executed to correct them.

  In case anyone else finds this bugreport and need an emergency fix,

  certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'ocspSigningCert cert-pki-tomcat OCSP'

  certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'auditSigningCert cert-pki-tomcat OCSP'

  certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'auditSigningCert cert-pki-tomcat CA'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813919/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1813919] Re: Incorrect trust flags in NSSDB when renewing subsystem certificates

2019-01-30 Thread travis armstrong

** Description changed:

  OS: ubuntu 18.04
  Dogtag: 10.6.0
  
  When renewing subsystem certificates in dogtag (by following the process
  described here:
  https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will
  break due to incorrect trust flags in NSS.
  
  The certificate IDs are:
  
- 'ocsp_signing'(gets 'u,u,u' shoud get 'CTu,Cu,Cu')
+ 'ocsp_signing'(gets 'u,u,u' should get 'CTu,Cu,Cu')
  'ocsp_audit_signing'  (gets 'u,u,u' should get 'u,u,Pu')
+ 'ca_audit_signing'(gets 'u,u,u' should get 'u,u,Pu')
+ 
  
  To fix this certutil must be executed to correct them.
  
  In case anyone else finds this bugreport and need an emergency fix,
  
  certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'ocspSigningCert cert-pki-tomcat OCSP'
  
  certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'auditSigningCert cert-pki-tomcat OCSP'
+ 
+ certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
+ 'auditSigningCert cert-pki-tomcat CA'

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1813919

Title:
  Incorrect trust flags in NSSDB when renewing subsystem certificates

Status in dogtag-pki package in Ubuntu:
  New

Bug description:
  OS: ubuntu 18.04
  Dogtag: 10.6.0

  When renewing subsystem certificates in dogtag (by following the
  process described here:
  https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will
  break due to incorrect trust flags in NSS.

  The certificate IDs are:

  'ocsp_signing'(gets 'u,u,u' should get 'CTu,Cu,Cu')
  'ocsp_audit_signing'  (gets 'u,u,u' should get 'u,u,Pu')
  'ca_audit_signing'(gets 'u,u,u' should get 'u,u,Pu')


  To fix this certutil must be executed to correct them.

  In case anyone else finds this bugreport and need an emergency fix,

  certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'ocspSigningCert cert-pki-tomcat OCSP'

  certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'auditSigningCert cert-pki-tomcat OCSP'

  certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'auditSigningCert cert-pki-tomcat CA'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813919/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1813919] Re: Incorrect trust flags in NSSDB when renewing subsystem certificates

[Freeipa] [Bug 1813919] Re: Incorrect trust flags in NSSDB when renewing subsystem certificates

2 matches

Site Navigation

Mail list logo

Footer information