[Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup
Rob Crittenden
rcritten at redhat.com
Thu Aug 15 21:58:20 UTC 2013
Vladimir Kulev wrote:
>
> On Thu, Aug 15, 2013 at 6:23 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Here is a command:
> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n
> "External
> CA" -i /root/ca.pem
>
> Also I tried to add intermediate CA with the following:
> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n
> "External Sub
> CA" -i /root/sub.pem
>
> External CA file is correct, I verified it with "openssl s_client
> -CAfile /root/ca.pem -connect ipa.mydomain.com:636
> <http://ipa.mydomain.com:636>
> <http://ipa.mydomain.com:636>"
>
>
> You should drop the sql prefix. This is creating a new cert and key
> database (you'll see a new cert9 and key4.db there). I don't believe
> that dogtag uses the sql prefix yet so it won't see the new certs
> you added.
>
> You should also set the trust flags on all intermediate certs as well.
>
>
> You are right, lsof shows that java process opens only cert8.db and key3.db
> I did as you say, and dirsrv log output changed to "Netscape Portable
> Runtime error -8179 (Peer's Certificate issuer is not recognized.);
> unauthenticated client"
>
> Then I in addition ran this command:
> certutil -d /etc/dirsrv/slapd-MYDOMAIN-COM/ -A -t "CT,C,C" -n "IPA CA"
> -i /etc/ipa/ca.crt
>
> And eventually it worked!
>
> So there were two problems:
> 1) ipa-server-certinstall removed IPA CA from dirsrv nssdb (by replacing it)
> 2) ipa-server-certinstall did not add new dirsrv CA into pki-tomcatd nssdb
>
> Hope you can fix that either in documentation or tools :)
https://fedorahosted.org/freeipa/ticket/3862
rob
More information about the Freeipa-users
mailing list