Re: [Freeipa-users] Installation issues with sub-ca.

2013-11-07 Thread Andrea Bontempi
-12195 is SSL_ERROR_UNKNOWN_CA_ALERT in NSS. I wonder if the root chain you gave to the IPA installer was complete. rob I work with PEM file format, in the sub-ca certificate there aren't chains (but isn't a problem if i use a self-generated CA). (Moreover, the script has all the chain, the

[Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Andrea Bontempi
Hi, i'm trying to install FreeIPA with external CA (again) Now i use FreeIPA 3.3.* and i found a strange error on [17/22]: requesting RA certificate from CA: 2013-11-08T11:07:38Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Andrea Bontempi
Here the log /var/log/pki/pki-tomcat/ca/debug [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Andrea Bontempi
/usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? Yes Does rpm -V pki-ca pass? No response Can openssl x509 -text -in /path/to/ca.crt show the cert ok? Certificate: Data: Version: 3 (0x2) Serial Number: 1383914316 (0x527cdb4c) Signature Algorithm:

Re: [Freeipa-users] Installation issues with sub-ca.

2013-11-12 Thread Andrea Bontempi
I found the reason for the failure of the installation. The script uses a NSS db locate under /tmp: --- Certificate Nickname Trust Attributes

Re: [Freeipa-users] Installation issues with sub-ca.

2013-11-14 Thread Andrea Bontempi
some tests: The error occurs when I use a CA managed by EJBCA, if I use a CA generated by openssl or nss everything works properly. The problem is that i can't reproduce the bug in an external nss db... but maybe I don't follow the same steps that uses the installation script. Andrea Bontempi

Re: [Freeipa-users] Installation issues with sub-ca.

2013-11-14 Thread Andrea Bontempi
Administration and activate PrintableString encoding in DN option in a new CA. Thank you very much, your help has been fundamental :-) Andrea Bontempi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] Installation issues with sub-ca. [SOLVED]

2013-11-15 Thread Andrea Bontempi
PrintableString encoding in DN enabled. Thanks for the help. Andrea Bontempi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] NSPR Error -8015

2013-12-12 Thread Andrea Bontempi
NetworkError(uri=server, error=str(e)) Can someone help me? Thank you Andrea Bontempi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Full certificate renewal

2013-12-20 Thread Andrea Bontempi
SOLVED I forgot to update the certificates in /etc/pki-ca/CS.cfg Andrea Bontempi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users