[Freeipa-users] Issue on import official cert of godaddy.

Rob Crittenden rcritten at redhat.com
Tue Apr 1 12:46:13 UTC 2014 

barrykfl at gmail.com wrote:
> I found the cause and remove the error. ...i used the bundle cert to 
> make the p12 file by official guide ...bnudle cert can use only even i 
> download  another root ca cert of godday it fail says somelike local 
> chain error,
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
> Anyway  it really enter 3 entries A root CA , A sign CA , A server cert 
> ... BUT actaully the singer CA not present it is actually intermediate CERT.
> I add it again by certutil  then it error gone ...but still keeping the 
> 3 entries row ...no idea is the cert issue or not,
> BTW i have another issue on web ui, when browsing service tag. i tried 
> to add all back of orginal IPA CA cert  but doesnt help even remove..any 
> idea
> ..???
> 
> Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. ,,
> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,C,C
> Server-Cert                                                  ,,
> *.abc.com <http://abc.com> - GoDaddy.com, 
> Inc.                             u,u,u
> ABC.COM <http://ABC.COM> IPA 
> CA                                            CT,C,C
> ipaCert                                                      ,,

It is a different error, unrelated to trust.

It looks like you don't have the private keys for Server-Cert and
ipaCert. For Server-Cert it doesn't really matter since you're using
your own, but ipaCert is required. I don't know if this is the cause of
the error or something else.

Hopefully you have a backup of the Apache database somewhere. You can
use pk12util to export ipaCert out of that and import it into the
current database.

rob

> Rgards
> 
> 2014-03-31 22:39 GMT+08:00 <barrykfl at gmail.com <mailto:barrykfl at gmail.com>>:
> 
>     There are already godaddy class and class 2 cert in it i wonder why
>     the error still comess
> 
>     2014/3/31 下午10:37 於 "Rob Crittenden" <rcritten at redhat.com
>     <mailto:rcritten at redhat.com>> 寫道:
> 
>         barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
>          > I follow the mAnual.using ipa cert install
>          >
>          > It will auto remove ipa cert after u insert godaddy .  Should
>         i add them
>          > back? No.conflict?
> 
>         You only need to add in the CA. There will be no conflict.
> 
>          > 2)do.umeant ca root cert of godaddy ? Ialread try added any
>         ca root cert
>          > of godaddy the error still comes out
> 
>         You need to add the CA that issued the wildcard cert they gave you.
>         Typically there are one or more subordinate CAs that actually
>         issue the
>         certificates.
> 
>         rob
> 
>          >
>          > 2014/3/31 下午10:08 於 "Rob Crittenden" <rcritten at redhat.com
>         <mailto:rcritten at redhat.com>
>          > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> 寫道:
>          >
>          > barrykfl at gmail.com <mailto:barrykfl at gmail.com>
>         <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>> wrote:
>          >
>          >         Dear all:
>          >         I have succesfful impont certs to http and ldap but
>         some inssue
>          >         arise.
>          >         1) when i click in service in the UI it still using
>         OLD entries
>          >         of seld
>          >         sign cert and given out error ...pls see attachment,.
>          >         How to reflect the godaddy cert there and it cannot
>         be deleted .??
>          >
>          >
>          >     You're misreading this. The IPA CA is still installed and
>         has issued
>          >     some certificates to some service (and probably hosts).
>         I'm guessing
>          >     you removed the IPA CA certificate from /etc/httpd/alias.
>         You need
>          >     to add it back to let IPA talk to its CA again.
>          >
>          >         2)  when start up dirsrv it casue some warning out say:
>          >         Starting dirsrv:
>          >               ABS-COM...[31/Mar/2014:10:25:__59 +0800] - SSL
>         alert:
>          >         CERT_VerifyCertificateNow:      verify certificate
>         failed for cert
>          >         *.wisers.com <http://wisers.com/> <http://wisers.com
>         <http://wisers.com/>> <http://wisers.com <http://wisers.com/>> -
>          >         GoDaddy.com, Inc. of family
>          >         cn=RSA,c     n=encryption,cn=config (Netscape
>         Portable Runtime error
>          >         -8172 - Peer's certificate iss     uer has been
>         marked as not
>          >         trusted by
>          >         the user.)
>          >         any where i should import again to skip the error and
>         realize
>          >         the change
>          >         no prompt out errors?
>          >
>          >
>          >     You need to add the GoDaddy CA cert chain to the 389-ds cert
>          >     database in /etc/dirsrv/slapd-ABS-COM/
>          >
>          >     rob
>          >
> 
>

More information about the Freeipa-users mailing list