On 06/20/2017 11:38 PM, Ian Pilcher wrote:
If I don't specify the SSL_DIR, the curl command works, so it
definitely seems to be an issue with the NSS database in
/etc/httpd/alias. I don't see anything obviously wrong with the trust
flags, though:
# certutil -d /etc/httpd/alias -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
ipaCert u,u,u
PENURIO.US IPA CA CT,C,C
Let's Encrypt Authority X3 - Digital Signature Trust Co. ,,
www.penurio.us u,u,u
Trial and error for the win!
It seems as if the NSS database in /etc/httpd/alias had become subtly
corrupted, so that the trust flags shown by certutil for the CA
certificate were not accurate.
After clearing (-t ',,') and resetting (-t 'C,C,C') the trust flags,
curl works, and certmonger has renewed my expired certificates.
That was not fun.
--
========================================================================
Ian Pilcher arequip...@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org