-12195 is SSL_ERROR_UNKNOWN_CA_ALERT in NSS.
I wonder if the root chain you gave to the IPA installer was complete.
rob
I work with PEM file format, in the sub-ca certificate there aren't chains (but
isn't a problem if i use a self-generated CA).
(Moreover, the script has all the chain, the
Hi, i'm trying to install FreeIPA with external CA (again)
Now i use FreeIPA 3.3.* and i found a strange error on [17/22]: requesting RA
certificate from CA:
2013-11-08T11:07:38Z DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
622, in run_script
Here the log /var/log/pki/pki-tomcat/ca/debug
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode,
authorization
/usr/share/pki/ca/profiles/ca/caServerCert.cfg exist?
Yes
Does rpm -V pki-ca pass?
No response
Can openssl x509 -text -in /path/to/ca.crt show the cert ok?
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1383914316 (0x527cdb4c)
Signature Algorithm:
I found the reason for the failure of the installation.
The script uses a NSS db locate under /tmp:
---
Certificate Nickname Trust Attributes
some tests: The error occurs when I use a CA managed by EJBCA, if I use a
CA generated by openssl or nss everything works properly.
The problem is that i can't reproduce the bug in an external nss db... but
maybe I don't follow the same steps that uses the installation script.
Andrea Bontempi
Administration and activate PrintableString encoding
in DN option in a new CA.
Thank you very much, your help has been fundamental :-)
Andrea Bontempi
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo
PrintableString encoding in DN enabled.
Thanks for the help.
Andrea Bontempi
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
NetworkError(uri=server, error=str(e))
Can someone help me?
Thank you
Andrea Bontempi
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
SOLVED
I forgot to update the certificates in /etc/pki-ca/CS.cfg
Andrea Bontempi
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
10 matches
Mail list logo