> On Tue, Mar 17, 2020 at 02:17:06PM -0000, Hristina Marosevic wrote: > > Hi, > > about 'certificate_verification = no_verification', there is an issue > which was fixed by > https://pagure.io/SSSD/sssd/c/31ebf912d6426aea446b2bdae919d4e33b0c95be > but the fix is not in the build you are using. So better continue with > 'certificate_verification = no_ocsp'. > > > Please add all CA certificates to the NSS database /etc/pki/nssdb with > the help of the certutil command: > > certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d > /etc/pki/nssdb > > each CA certificate should get an individual nickname. If your > CA_cert_file is in PEM format (with BEGIN CERTIFICATE and END > CERTIFICATE lines) you might need to add a '-a' option as well. > > If there are still issues please send the strace output. > > HTH > > bye, > Sumit
Hello, I just tried to add the certificates (intermediate and root CA) to the database and I got the error: "certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format." for each one. The confirugation in sssd is still not changed and no other step is executed due to this error. I think it is important to solve this problem first, and that this one is not related to the sssd configuration and option certificate_verification in the config file. Can you propose me a solution for this? BR, Hristina _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
