Re: [Freeipa-users] 3rd Party http certs breaking Apache

2016-10-12 Thread Joshua Ruybal 
Can confirm nss.conf has NSSNickname set to Signing-Cert.

I set the nickname of the Root CA issuing the 3rd party Certs to
"LetsEncrypt_X1"

On Wed, Oct 12, 2016 at 10:57 AM, Rob Crittenden 
wrote:

> Joshua Ruybal wrote:
>
>> Hi,
>>
>> I'm trying to add 3rd party certs for the webgui and ldap as documented
>> here: https://www.freeipa.org/page/Using_3rd_part_certificates_for
>> _HTTP/LDAP
>>
>> I'm able to add the CA cert.
>>
>> Then add the chained cert and key via ipa-server-certinstall tool.
>> However when I try to restart httpd, it fails and I get the following
>> error in the logs.
>>
>>
>> [Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> [Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init:
>> (ipa-test.example.com:443 ) You
>> configured HTTP(80) on the standard HTTPS(443) port!
>> [Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error:
>> -8102 Certificate key usage inadequate for attempted operation.
>> [Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify
>> certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
>> so the server can start until the problem can be resolved.
>>
>>
>> I've looked into the key, but everything seems to work as expected.
>>
>> Has anyone seen this before?
>>
>> Environment:
>> IPA VERSION: 4.2.0, API_VERSION: 2.156
>> CentOS 7.2
>>
>
> You set NSSNickname to Signing-Cert? What is the nickname of the cert you
> imported?
>
> # certutil -L -d /etc/httpd/alias
>
> rob
>
>


-- 


*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
e: jruy...@owneriq.com


  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 3rd Party http certs breaking Apache

2016-10-12 Thread Rob Crittenden 

Joshua Ruybal wrote:

Hi,

I'm trying to add 3rd party certs for the webgui and ldap as documented
here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

I'm able to add the CA cert.

Then add the chained cert and key via ipa-server-certinstall tool.
However when I try to restart httpd, it fails and I get the following
error in the logs.


[Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init:
(ipa-test.example.com:443 ) You
configured HTTP(80) on the standard HTTPS(443) port!
[Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error:
-8102 Certificate key usage inadequate for attempted operation.
[Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify
certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
so the server can start until the problem can be resolved.


I've looked into the key, but everything seems to work as expected.

Has anyone seen this before?

Environment:
IPA VERSION: 4.2.0, API_VERSION: 2.156
CentOS 7.2


You set NSSNickname to Signing-Cert? What is the nickname of the cert 
you imported?


# certutil -L -d /etc/httpd/alias

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project