Over the weekend, my original "NSS Certificate DB" certificate expired. It was automatically renewed, however in a new location:
# ipa-getcert list Number of certificates and requests being tracked: 10. Request ID '20180929060059': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-PHYSEC-DE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-PHYSEC-DE certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-PHYSEC-DE',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.PHYSEC.DE subject: CN=master.ipa.physec.de,O=IPA.PHYSEC.DE expires: 2021-07-20 14:25:43 UTC principal name: ldap/master.ipa.physec...@ipa.physec.de key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-PHYSEC-DE track: yes auto-renew: yes Request ID '20180929060107': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.PHYSEC.DE subject: CN=master.ipa.physec.de,O=IPA.PHYSEC.DE expires: 2019-08-17 12:45:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes I managed to restart the FreeIPA service by adding `NSSEnforceValidCerts off` to `/etc/httpd/conf.d/nss.conf`. But logging into the webinterface still yields the following error in httpd: [Mon Aug 19 10:36:05.722736 2019] [:error] [pid 12798] ipa: INFO: 401 Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) [Mon Aug 19 10:36:05.723894 2019] [:error] [pid 12802] SSL Library Error: -12269 The server has rejected your certificate as expired I have intentionally not copied the new certificate to `/etc/httpd/alias` as I am not aware of all the involved components and fear that this might break something. My system is running a fully patched CentOS 7.6, running FreeIPA 4.6.4-10.el7.centos.6. What should I do to resolve this issue, simply replacing the certificates, or is there a better method? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org