Re: [Freeipa-users] error after change cert
barry...@gmail.com wrote: Where is it ? Could u advise ? My old cert is godady And.new cert is combro Please keep responses on the list. $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b cn=RSA,cn=encryption,cn=config nsSSLPersonalitySSL If the result doesn't match the nickname of your new cert then your simplest solution is: # ipactl stop # favorite editor /etc/dirsrv/slapd-REALM/dse.ldif Find nsSSLPersonalitySSL and replace the value with the right one. # ipactl start rob 2015年7月6日 下午11:52於 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com寫道: barry...@gmail.com mailto:barry...@gmail.com wrote: Where can i check.the config of nss? I.modified the nssdb and imported.cert successfully. should i change any ldif? I already told you in my initial reply: Check the value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server certificate to use. rob Many thks 2015年7月6日 下午11:44於 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com寫道: barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com wrote: Do u meant this : i already add the cert to nss and even \etc\ipa\ ca.cert repalced [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI COMODO RSA Domain Validation Secure Server CA CT,C,C IPA CA CT,C,C COMODO RSA Certification Authority CT,C,C This has no relationship to the error you're seeing. This database is not used by either Apache or 389-ds. NSS uses nicknames to reference a given certificate. This nickname needs to exist in it's database. I'm guessing that you changed the database, and therefore the nickname in the database, without also updating the server configuration with this new nickname. rob 2015-07-06 21:39 GMT+08:00 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com: barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com wrote: the cert already in httpd / ldap side. but it prompt error [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. *.wisers.com http://wisers.com http://wisers.com http://wisers.com http://wisers.com - COMODO CA Limited u,u,u COMODO RSA Domain Validation Secure Server CA CT,C,C COMODO RSA Certification Authority CT,C,C Taking a wild guess here due to limited information, but check the value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server certificate to use. rob 2015-07-06 20:01 GMT+08:00 barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com: hi: i changed cert lareadty but seemit still keep hisoty of godadday any help.?? www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert *.www.com http://www.com http://www.com http://www.com http://www.com - GoDaddy.com, Inc. of family
[Freeipa-users] error after change cert
hi: i changed cert lareadty but seemit still keep hisoty of godadday any help.?? www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert *.www.com - GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] error after change cert
the cert already in httpd / ldap side. but it prompt error [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. *.wisers.com - COMODO CA Limited u,u,u COMODO RSA Domain Validation Secure Server CACT,C,C COMODO RSA Certification Authority CT,C,C 2015-07-06 20:01 GMT+08:00 barry...@gmail.com: hi: i changed cert lareadty but seemit still keep hisoty of godadday any help.?? www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert *.www.com - GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] error after change cert
Do u meant this : i already add the cert to nss and even \etc\ipa\ ca.cert repalced [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI COMODO RSA Domain Validation Secure Server CACT,C,C IPA CA CT,C,C COMODO RSA Certification Authority CT,C,C 2015-07-06 21:39 GMT+08:00 Rob Crittenden rcrit...@redhat.com: barry...@gmail.com wrote: the cert already in httpd / ldap side. but it prompt error [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. *.wisers.com http://wisers.com - COMODO CA Limited u,u,u COMODO RSA Domain Validation Secure Server CACT,C,C COMODO RSA Certification Authority CT,C,C Taking a wild guess here due to limited information, but check the value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server certificate to use. rob 2015-07-06 20:01 GMT+08:00 barry...@gmail.com mailto:barry...@gmail.com : hi: i changed cert lareadty but seemit still keep hisoty of godadday any help.?? www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert *.www.com http://www.com - GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] error after change cert
any command make it refresh ? it seem still getiing old godaddy hisotry? 2015-07-06 21:45 GMT+08:00 barry...@gmail.com: Do u meant this : i already add the cert to nss and even \etc\ipa\ ca.cert repalced [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI COMODO RSA Domain Validation Secure Server CACT,C,C IPA CA CT,C,C COMODO RSA Certification Authority CT,C,C 2015-07-06 21:39 GMT+08:00 Rob Crittenden rcrit...@redhat.com: barry...@gmail.com wrote: the cert already in httpd / ldap side. but it prompt error [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. *.wisers.com http://wisers.com - COMODO CA Limited u,u,u COMODO RSA Domain Validation Secure Server CACT,C,C COMODO RSA Certification Authority CT,C,C Taking a wild guess here due to limited information, but check the value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server certificate to use. rob 2015-07-06 20:01 GMT+08:00 barry...@gmail.com mailto: barry...@gmail.com: hi: i changed cert lareadty but seemit still keep hisoty of godadday any help.?? www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert *.www.com http://www.com - GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] error after change cert
any command make it refresh ? it seem still getiing old godaddy hisotry? 2015-07-06 21:45 GMT+08:00 barry...@gmail.com: Do u meant this : i already add the cert to nss and even \etc\ipa\ ca.cert repalced [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI COMODO RSA Domain Validation Secure Server CACT,C,C IPA CA CT,C,C COMODO RSA Certification Authority CT,C,C 2015-07-06 21:39 GMT+08:00 Rob Crittenden rcrit...@redhat.com: barry...@gmail.com wrote: the cert already in httpd / ldap side. but it prompt error [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. *.wisers.com http://wisers.com - COMODO CA Limited u,u,u COMODO RSA Domain Validation Secure Server CACT,C,C COMODO RSA Certification Authority CT,C,C Taking a wild guess here due to limited information, but check the value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server certificate to use. rob 2015-07-06 20:01 GMT+08:00 barry...@gmail.com mailto: barry...@gmail.com: hi: i changed cert lareadty but seemit still keep hisoty of godadday any help.?? www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert *.www.com http://www.com - GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] error after change cert
barry...@gmail.com wrote: Do u meant this : i already add the cert to nss and even \etc\ipa\ ca.cert repalced [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI COMODO RSA Domain Validation Secure Server CACT,C,C IPA CA CT,C,C COMODO RSA Certification Authority CT,C,C This has no relationship to the error you're seeing. This database is not used by either Apache or 389-ds. NSS uses nicknames to reference a given certificate. This nickname needs to exist in it's database. I'm guessing that you changed the database, and therefore the nickname in the database, without also updating the server configuration with this new nickname. rob 2015-07-06 21:39 GMT+08:00 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com: barry...@gmail.com mailto:barry...@gmail.com wrote: the cert already in httpd / ldap side. but it prompt error [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. *.wisers.com http://wisers.com http://wisers.com - COMODO CA Limited u,u,u COMODO RSA Domain Validation Secure Server CACT,C,C COMODO RSA Certification Authority CT,C,C Taking a wild guess here due to limited information, but check the value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server certificate to use. rob 2015-07-06 20:01 GMT+08:00 barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com: hi: i changed cert lareadty but seemit still keep hisoty of godadday any help.?? www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert *.www.com http://www.com http://www.com - GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project