Hi there, is it possible to have a cert (say from VeriSign) for a IPA host and use it for httpd (Web GUI), without breaking anything else? I've acquired one and added it to nssdb (/etc/httpd/alias).
# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipaCert u,u,u Server-Cert u,u,u COMP.COM IPA CA CT,C,C Signing-Cert u,u,u CA-LDAP01-CHAINED u,u,u Comp SSL CA - G2 - VeriSign, Inc. ,, It's now used in /etc/httpd/conf.d/nss.conf and the cert looks good via a browser. But it's breaking something, since I see this: # ipa user-show admin ipa: ERROR: cert validation failed for "CN=ca-ldap01.comp.com,OU=Corp,O=Corporation,L=City,ST=California,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to 'https://ca-ldap01.comp.com/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. Adding this cert to /etc/dirsrv/slapd-CORP-COM/ nssdb didn't resolve the issue. Thanks for any advice. Zarko
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project