[Freeipa-users] Issue on import official cert of godaddy.
Rob Crittenden
rcritten at redhat.com
Tue Apr 1 12:46:13 UTC 2014
barrykfl at gmail.com wrote:
> I found the cause and remove the error. ...i used the bundle cert to
> make the p12 file by official guide ...bnudle cert can use only even i
> download another root ca cert of godday it fail says somelike local
> chain error,
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
> Anyway it really enter 3 entries A root CA , A sign CA , A server cert
> ... BUT actaully the singer CA not present it is actually intermediate CERT.
> I add it again by certutil then it error gone ...but still keeping the
> 3 entries row ...no idea is the cert issue or not,
> BTW i have another issue on web ui, when browsing service tag. i tried
> to add all back of orginal IPA CA cert but doesnt help even remove..any
> idea
> ..???
>
> Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. ,,
> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,C,C
> Server-Cert ,,
> *.abc.com <http://abc.com> - GoDaddy.com,
> Inc. u,u,u
> ABC.COM <http://ABC.COM> IPA
> CA CT,C,C
> ipaCert ,,
It is a different error, unrelated to trust.
It looks like you don't have the private keys for Server-Cert and
ipaCert. For Server-Cert it doesn't really matter since you're using
your own, but ipaCert is required. I don't know if this is the cause of
the error or something else.
Hopefully you have a backup of the Apache database somewhere. You can
use pk12util to export ipaCert out of that and import it into the
current database.
rob
> Rgards
>
> 2014-03-31 22:39 GMT+08:00 <barrykfl at gmail.com <mailto:barrykfl at gmail.com>>:
>
> There are already godaddy class and class 2 cert in it i wonder why
> the error still comess
>
> 2014/3/31 下午10:37 於 "Rob Crittenden" <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> 寫道:
>
> barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
> > I follow the mAnual.using ipa cert install
> >
> > It will auto remove ipa cert after u insert godaddy . Should
> i add them
> > back? No.conflict?
>
> You only need to add in the CA. There will be no conflict.
>
> > 2)do.umeant ca root cert of godaddy ? Ialread try added any
> ca root cert
> > of godaddy the error still comes out
>
> You need to add the CA that issued the wildcard cert they gave you.
> Typically there are one or more subordinate CAs that actually
> issue the
> certificates.
>
> rob
>
> >
> > 2014/3/31 下午10:08 於 "Rob Crittenden" <rcritten at redhat.com
> <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> 寫道:
> >
> > barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>> wrote:
> >
> > Dear all:
> > I have succesfful impont certs to http and ldap but
> some inssue
> > arise.
> > 1) when i click in service in the UI it still using
> OLD entries
> > of seld
> > sign cert and given out error ...pls see attachment,.
> > How to reflect the godaddy cert there and it cannot
> be deleted .??
> >
> >
> > You're misreading this. The IPA CA is still installed and
> has issued
> > some certificates to some service (and probably hosts).
> I'm guessing
> > you removed the IPA CA certificate from /etc/httpd/alias.
> You need
> > to add it back to let IPA talk to its CA again.
> >
> > 2) when start up dirsrv it casue some warning out say:
> > Starting dirsrv:
> > ABS-COM...[31/Mar/2014:10:25:__59 +0800] - SSL
> alert:
> > CERT_VerifyCertificateNow: verify certificate
> failed for cert
> > *.wisers.com <http://wisers.com/> <http://wisers.com
> <http://wisers.com/>> <http://wisers.com <http://wisers.com/>> -
> > GoDaddy.com, Inc. of family
> > cn=RSA,c n=encryption,cn=config (Netscape
> Portable Runtime error
> > -8172 - Peer's certificate iss uer has been
> marked as not
> > trusted by
> > the user.)
> > any where i should import again to skip the error and
> realize
> > the change
> > no prompt out errors?
> >
> >
> > You need to add the GoDaddy CA cert chain to the 389-ds cert
> > database in /etc/dirsrv/slapd-ABS-COM/
> >
> > rob
> >
>
>
More information about the Freeipa-users
mailing list