[Freeipa-users] Issue on import official cert of godaddy.

Rob Crittenden rcritten at redhat.com
Mon Mar 31 14:37:45 UTC 2014 

barrykfl at gmail.com wrote:
> I follow the mAnual.using ipa cert install
> 
> It will auto remove ipa cert after u insert godaddy .  Should i add them 
> back? No.conflict?

You only need to add in the CA. There will be no conflict.

> 2)do.umeant ca root cert of godaddy ? Ialread try added any ca root cert 
> of godaddy the error still comes out

You need to add the CA that issued the wildcard cert they gave you.
Typically there are one or more subordinate CAs that actually issue the
certificates.

rob

> 
> 2014/3/31 下午10:08 於 "Rob Crittenden" <rcritten at redhat.com 
> <mailto:rcritten at redhat.com>> 寫道:
> 
>     barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
> 
>         Dear all:
>         I have succesfful impont certs to http and ldap but some inssue
>         arise.
>         1) when i click in service in the UI it still using OLD entries
>         of seld
>         sign cert and given out error ...pls see attachment,.
>         How to reflect the godaddy cert there and it cannot be deleted .??
> 
> 
>     You're misreading this. The IPA CA is still installed and has issued
>     some certificates to some service (and probably hosts). I'm guessing
>     you removed the IPA CA certificate from /etc/httpd/alias. You need
>     to add it back to let IPA talk to its CA again.
> 
>         2)  when start up dirsrv it casue some warning out say:
>         Starting dirsrv:
>               ABS-COM...[31/Mar/2014:10:25:__59 +0800] - SSL alert:
>         CERT_VerifyCertificateNow:      verify certificate failed for cert
>         *.wisers.com <http://wisers.com> <http://wisers.com> -
>         GoDaddy.com, Inc. of family
>         cn=RSA,c     n=encryption,cn=config (Netscape Portable Runtime error
>         -8172 - Peer's certificate iss     uer has been marked as not
>         trusted by
>         the user.)
>         any where i should import again to skip the error and realize
>         the change
>         no prompt out errors?
> 
> 
>     You need to add the GoDaddy CA cert chain to the 389-ds cert
>     database in /etc/dirsrv/slapd-ABS-COM/
> 
>     rob
>

More information about the Freeipa-users mailing list