This article explains how Firefox and the OS certificate database are related.
Starting with Firefox 64, an enterprise policy controls the relationship
between Firefox trusted roots and OS trusted roots.
https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
On ti, 15 loka 2019, Kevin Vasko via FreeIPA-users wrote:
Well that’s the thing, I didn’t realize the service certificate was
revoked as I thought the entire point of validating the client cert was
to validate the entire “chain” with OCSP.
Im using IPAs internal cert system.
Yeah, I kept
Well that’s the thing, I didn’t realize the service certificate was revoked as
I thought the entire point of validating the client cert was to validate the
entire “chain” with OCSP.
Im using IPAs internal cert system.
Yeah, I kept reissueing tickets when I was trying to get the post command
On Mon, Oct 14, 2019 at 05:50:47PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> On ma, 14 loka 2019, Kevin Vasko wrote:
> > Welp, I'm an idiot and you are completely 100% correct.
> >
> > It was indeed revoked, but the http servers certificate was revoked
> > and not the client..which is
On ma, 14 loka 2019, Kevin Vasko wrote:
Welp, I'm an idiot and you are completely 100% correct.
It was indeed revoked, but the http servers certificate was revoked
and not the client..which is where I was focusing 100% of my
debugging. Which clears up a LOT of things. I originally was loading
Welp, I'm an idiot and you are completely 100% correct.
It was indeed revoked, but the http servers certificate was revoked
and not the client..which is where I was focusing 100% of my
debugging. Which clears up a LOT of things. I originally was loading
the ca.crt on an Ubuntu machine a few days
On pe, 11 loka 2019, Kevin Vasko wrote:
So following these instructions I found out that the certs are NOT revoked.
https://serverfault.com/questions/590504/how-do-i-check-if-my-ssl-certificates-have-been-revoked
The one thing I did find is that in Firefox if I uncheck "Query OCSP
responder
So following these instructions I found out that the certs are NOT revoked.
https://serverfault.com/questions/590504/how-do-i-check-if-my-ssl-certificates-have-been-revoked
The one thing I did find is that in Firefox if I uncheck "Query OCSP
responder servers to confirm the current validity of
I'm 100% positive I did nothing with this cert.
To validate, I spun up a brand new machine completely from scratch.
1. ran yum update
2. installed Gnome
3. installed ipa with my normal "sudo ipa-client-install
--domain=exaple.com --realm=EXAMPLE.COM --enable-dns-updates
--mkhomedir"
4. started
On to, 10 loka 2019, Kevin Vasko wrote:
So I went back and read, reread, studied what you wrote and I think I’m
following you. I’m really unfamiliar with certs and the tools around it
so forgive the ignorance.
So what I ended up doing is spinning up a CentOS7 VM and installing
everything on it,
So I went back and read, reread, studied what you wrote and I think I’m
following you. I’m really unfamiliar with certs and the tools around it so
forgive the ignorance.
So what I ended up doing is spinning up a CentOS7 VM and installing everything
on it, adding it to the FreeIPA realm etc.
So you are saying that if the p11-kit-trust module is available it
should be automatically adding the system wide trust store into the
internal Firefox cert store?
This is the out of my commands. I have the cert store thats create in
my home directory.
But there is no p11-kit-proxy do I have to
On to, 10 loka 2019, Kevin Vasko wrote:
Alexander,
Unless I'm misunderstanding the information I don't think it will
matter though because Firefox and Chrome use their own certificates
stores. I found that information after I posted this question.
Speaking specifically for firefox (and Chrome
Alexander,
Unless I'm misunderstanding the information I don't think it will
matter though because Firefox and Chrome use their own certificates
stores. I found that information after I posted this question.
Speaking specifically for firefox (and Chrome looks to be
similar)...I'm concluding that
On to, 10 loka 2019, Kevin Vasko via FreeIPA-users wrote:
I actually manually checked the system wide crt files on each
distribution I'm using, Ubuntu, CentOS and RHEL6/7. In all cases my
/etc/ipa/ca.crt did appear to be in the each of their respective *.crt
files. That indicates to me that
I actually manually checked the system wide crt files on each
distribution I'm using, Ubuntu, CentOS and RHEL6/7. In all cases my
/etc/ipa/ca.crt did appear to be in the each of their respective *.crt
files. That indicates to me that there isn't any problem with the
ipa-install-client on any of
Kevin Vasko via FreeIPA-users wrote:
> Kees Bakker,
>
> If it is, I'm certainly not seeing it done on Ubuntu 16.04 or Ubuntu
> 18.04 and based on Rob's comment it might not be done if I'm
> understanding him correctly.
Assuming I'm reading the code right it is not being executed on
Kees Bakker,
If it is, I'm certainly not seeing it done on Ubuntu 16.04 or Ubuntu
18.04 and based on Rob's comment it might not be done if I'm
understanding him correctly.
-Kevin
On Thu, Oct 10, 2019 at 8:19 AM Kees Bakker via FreeIPA-users
wrote:
>
> On 10-10-19 14:35, Rob Crittenden via
On 10-10-19 14:35, Rob Crittenden via FreeIPA-users wrote
Kevin Vasko via FreeIPA-users wrote:
How would I validate that certs are getting added properly on a CentOS machine
system wide store?
I’m going to test it today to find out if this is a problem unique to
Ubuntu/CentOS.
On Fedora
Kevin Vasko via FreeIPA-users wrote:
> How would I validate that certs are getting added properly on a CentOS
> machine system wide store?
>
> I’m going to test it today to find out if this is a problem unique to
> Ubuntu/CentOS.
On Fedora the chain is put into
How would I validate that certs are getting added properly on a CentOS machine
system wide store?
I’m going to test it today to find out if this is a problem unique to
Ubuntu/CentOS.
-Kevin
> On Oct 9, 2019, at 10:44 PM, Fraser Tweedale wrote:
>
> On Wed, Oct 09, 2019 at 08:58:14PM
On Wed, Oct 09, 2019 at 08:58:14PM -0500, Kevin Vasko wrote:
> Seems to happen on both Ubuntu 16.04 and 18.04.
>
> $ lsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description:Ubuntu 16.04.6 LTS
> Release:16.04
> Codename: xenial
>
> $ firefox
Seems to happen on both Ubuntu 16.04 and 18.04.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 16.04.6 LTS
Release:16.04
Codename: xenial
$ firefox --version
Mozilla Firefox 67.0.4
freeipa-client/xenial,now 4.3.1-0ubuntu1 amd64
On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users wrote:
> Hello,
>
> I’m wanting to make our https servers use a trusted certificate within our
> LAN only. So for example if I have websrv1.ny.example.com when a user uses a
> machine that’s enrolled into our realm and they
24 matches
Mail list logo
