[Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup
Vladimir Kulev
me at lightoze.net
Thu Aug 15 15:43:19 UTC 2013
On Thu, Aug 15, 2013 at 6:23 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Here is a command:
>> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n "External
>> CA" -i /root/ca.pem
>>
>> Also I tried to add intermediate CA with the following:
>> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n "External Sub
>> CA" -i /root/sub.pem
>>
>> External CA file is correct, I verified it with "openssl s_client
>> -CAfile /root/ca.pem -connect ipa.mydomain.com:636
>> <http://ipa.mydomain.com:636>"
>>
>
> You should drop the sql prefix. This is creating a new cert and key
> database (you'll see a new cert9 and key4.db there). I don't believe that
> dogtag uses the sql prefix yet so it won't see the new certs you added.
>
> You should also set the trust flags on all intermediate certs as well.
You are right, lsof shows that java process opens only cert8.db and key3.db
I did as you say, and dirsrv log output changed to "Netscape Portable
Runtime error -8179 (Peer's Certificate issuer is not recognized.);
unauthenticated client"
Then I in addition ran this command:
certutil -d /etc/dirsrv/slapd-MYDOMAIN-COM/ -A -t "CT,C,C" -n "IPA CA" -i
/etc/ipa/ca.crt
And eventually it worked!
So there were two problems:
1) ipa-server-certinstall removed IPA CA from dirsrv nssdb (by replacing it)
2) ipa-server-certinstall did not add new dirsrv CA into pki-tomcatd nssdb
Hope you can fix that either in documentation or tools :)
--
Best regards,
Vladimir Kulev
Mobile: +358400369346, +79215554422
Jabber: me at lightoze.net
Skype: lightoze
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130815/275fda50/attachment.htm>
More information about the Freeipa-users
mailing list