[Freeipa-users] error after change cert

Rob Crittenden rcritten at redhat.com
Mon Jul 6 15:44:40 UTC 2015 

barrykfl at gmail.com wrote:
> Do u meant this :
>
> i already add the cert to nss and even \etc\ipa\ ca.cert repalced
>
>
> [root@(LIVE) slapd-Wwww-COM]$   certutil -d /etc/pki/nssdb  -L
>
> Certificate Nickname                                         Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> COMODO RSA Domain Validation Secure Server CA                CT,C,C
> IPA CA                                                       CT,C,C
> COMODO RSA Certification Authority                           CT,C,C

This has no relationship to the error you're seeing. This database is 
not used by either Apache or 389-ds.

NSS uses nicknames to reference a given certificate. This nickname needs 
to exist in it's database. I'm guessing that you changed the database, 
and therefore the nickname in the database, without also updating the 
server configuration with this new nickname.

rob

>
>
> 2015-07-06 21:39 GMT+08:00 Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>:
>
>     barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
>
>         the cert already in httpd / ldap side. but it prompt error
>
>         [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher
>         are valid
>         [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2
>         Failed.
>
>         *.wisers.com <http://wisers.com> <http://wisers.com> - COMODO CA
>         Limited                             u,u,u
>         COMODO RSA Domain Validation Secure Server CA                CT,C,C
>         COMODO RSA Certification Authority                           CT,C,C
>
>
>     Taking a wild guess here due to limited information, but check the
>     value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This
>     is the NSS nickname of the server certificate to use.
>
>     rob
>
>
>
>         2015-07-06 20:01 GMT+08:00 <barrykfl at gmail.com
>         <mailto:barrykfl at gmail.com> <mailto:barrykfl at gmail.com
>         <mailto:barrykfl at gmail.com>>>:
>
>              hi:
>
>              i changed cert lareadty but seemit still keep hisoty of
>         godadday any
>              help.??
>
>
>              www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security
>              Initialization: Can't find certificate (*.wwwcom - GoDaddy.com,
>              Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape
>         Portable
>              Runtime error -8174 - security library: bad database.)
>              [06/Jul/2015:19:59:15 +0800] - SSL alert: Security
>         Initialization:
>              Unable to retrieve private key for cert *.www.com
>         <http://www.com> <http://www.com> -
>              GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config
>         (Netscape
>              Portable Runtime error -8174 - security library: bad database.)
>              [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the
>         cipher are valid
>              [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization
>         phase 2 Failed.
>
>
>
>
>
>

More information about the Freeipa-users mailing list