[Freeipa-users] Try to re-import self sign cert fail after used 3rd paty cert
Rob Crittenden
rcritten at redhat.com
Thu Mar 27 18:02:05 UTC 2014
barrykfl at gmail.com wrote:
> Dear all:
>
> I did change usin g 3rd party cert and now i tried to reimport the
> orginal self sign cert i backup before all in p12 format.
>
> Server-cert,p12 and ipacert.p12 ....i follow here and import successful.
>
> BUT it show error during restart httpd that say untrust source. even i
> added to "NSSEnforceValidCerts off" httpd worked but web site unable to
> access, Any where i missed that i must make it trust again./
> Also i tried 2nd way .... ipa-server-certinstall -w --http_pin=1234 ( i
> backup p12 's password ) Server-cert.p12 but say incorrect password
>
> it seem that the pin file txt inside is encrypted and not as same as the
> password i created when in the Server-cert.p12
>
> any idea ?
>
> 7 23:58:19 2014] [error] SSL Library Error: -8172 Certificate is signed
> by an untrusted issuer
> [Thu Mar 27 23:58:19 2014] [error] Unable to verify certificate
> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server
> can start until the problem can be resolved.
It may be that the IPA CA isn't in the database.
certutil -L -d /etc/httpd/alias
Look for '$REALM IPA CA'
If it isn't there you can add it with:
certutil -A -n '$REALM IPA CA' -d /etc/httpd/alias -t CT,C,C -a -i
/etc/ipa/ca.crt
rob
More information about the Freeipa-users
mailing list