barry...@gmail.com wrote:
I found the cause and remove the error. ...i used the bundle cert to
make the p12 file by official guide ...bnudle cert can use only even i
download another root ca cert of godday it fail says somelike local
chain error,
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Anyway it really enter 3 entries A root CA , A sign CA , A server cert
... BUT actaully the singer CA not present it is actually intermediate CERT.
I add it again by certutil then it error gone ...but still keeping the
3 entries row ...no idea is the cert issue or not,
BTW i have another issue on web ui, when browsing service tag. i tried
to add all back of orginal IPA CA cert but doesnt help even remove..any
idea
..???
Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,C,C
Server-Cert ,,
*.abc.com http://abc.com - GoDaddy.com,
Inc. u,u,u
ABC.COM http://ABC.COM IPA
CACT,C,C
ipaCert ,,
It is a different error, unrelated to trust.
It looks like you don't have the private keys for Server-Cert and
ipaCert. For Server-Cert it doesn't really matter since you're using
your own, but ipaCert is required. I don't know if this is the cause of
the error or something else.
Hopefully you have a backup of the Apache database somewhere. You can
use pk12util to export ipaCert out of that and import it into the
current database.
rob
Rgards
2014-03-31 22:39 GMT+08:00 barry...@gmail.com mailto:barry...@gmail.com:
There are already godaddy class and class 2 cert in it i wonder why
the error still comess
2014/3/31 下午10:37 於 Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com 寫道:
barry...@gmail.com mailto:barry...@gmail.com wrote:
I follow the mAnual.using ipa cert install
It will auto remove ipa cert after u insert godaddy . Should
i add them
back? No.conflict?
You only need to add in the CA. There will be no conflict.
2)do.umeant ca root cert of godaddy ? Ialread try added any
ca root cert
of godaddy the error still comes out
You need to add the CA that issued the wildcard cert they gave you.
Typically there are one or more subordinate CAs that actually
issue the
certificates.
rob
2014/3/31 下午10:08 於 Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com
mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com 寫道:
barry...@gmail.com mailto:barry...@gmail.com
mailto:barry...@gmail.com mailto:barry...@gmail.com wrote:
Dear all:
I have succesfful impont certs to http and ldap but
some inssue
arise.
1) when i click in service in the UI it still using
OLD entries
of seld
sign cert and given out error ...pls see attachment,.
How to reflect the godaddy cert there and it cannot
be deleted .??
You're misreading this. The IPA CA is still installed and
has issued
some certificates to some service (and probably hosts).
I'm guessing
you removed the IPA CA certificate from /etc/httpd/alias.
You need
to add it back to let IPA talk to its CA again.
2) when start up dirsrv it casue some warning out say:
Starting dirsrv:
ABS-COM...[31/Mar/2014:10:25:__59 +0800] - SSL
alert:
CERT_VerifyCertificateNow: verify certificate
failed for cert
*.wisers.com http://wisers.com/ http://wisers.com
http://wisers.com/ http://wisers.com http://wisers.com/ -
GoDaddy.com, Inc. of family
cn=RSA,c n=encryption,cn=config (Netscape
Portable Runtime error
-8172 - Peer's certificate iss uer has been
marked as not
trusted by
the user.)
any where i should import again to skip the error and
realize
the change
no prompt out errors?
You need to add the GoDaddy CA cert chain to the 389-ds cert
database in /etc/dirsrv/slapd-ABS-COM/
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users