[Freeipa-users] error after change cert
Rob Crittenden
rcritten at redhat.com
Mon Jul 6 15:52:57 UTC 2015
barrykfl at gmail.com wrote:
> Where can i check.the config of nss?
>
> I.modified the nssdb and imported.cert successfully.
>
> should i change any ldif?
I already told you in my initial reply:
Check the value of nsSSLPersonalitySSL in
cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server
certificate to use.
rob
>
> Many thks
>
> 2015年7月6日 下午11:44於 "Rob Crittenden" <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>寫道:
>
> barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
>
> Do u meant this :
>
> i already add the cert to nss and even \etc\ipa\ ca.cert repalced
>
>
> [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> COMODO RSA Domain Validation Secure Server CA CT,C,C
> IPA CA CT,C,C
> COMODO RSA Certification Authority CT,C,C
>
>
> This has no relationship to the error you're seeing. This database
> is not used by either Apache or 389-ds.
>
> NSS uses nicknames to reference a given certificate. This nickname
> needs to exist in it's database. I'm guessing that you changed the
> database, and therefore the nickname in the database, without also
> updating the server configuration with this new nickname.
>
> rob
>
>
>
> 2015-07-06 21:39 GMT+08:00 Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>:
>
> barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>> wrote:
>
> the cert already in httpd / ldap side. but it prompt error
>
> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the
> cipher
> are valid
> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL
> Initialization phase 2
> Failed.
>
> *.wisers.com <http://wisers.com> <http://wisers.com>
> <http://wisers.com> - COMODO CA
> Limited u,u,u
> COMODO RSA Domain Validation Secure Server CA
> CT,C,C
> COMODO RSA Certification Authority
> CT,C,C
>
>
> Taking a wild guess here due to limited information, but
> check the
> value of nsSSLPersonalitySSL in
> cn=RSA,cn=encryption,cn=config. This
> is the NSS nickname of the server certificate to use.
>
> rob
>
>
>
> 2015-07-06 20:01 GMT+08:00 <barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>>>:
>
> hi:
>
> i changed cert lareadty but seemit still keep
> hisoty of
> godadday any
> help.??
>
>
> www-COM...[06/Jul/2015:19:59:15 +0800] - SSL
> alert: Security
> Initialization: Can't find certificate (*.wwwcom -
> GoDaddy.com,
> Inc.) for family cn=RSA,cn=encryption,cn=config
> (Netscape
> Portable
> Runtime error -8174 - security library: bad database.)
> [06/Jul/2015:19:59:15 +0800] - SSL alert: Security
> Initialization:
> Unable to retrieve private key for cert *.www.com
> <http://www.com>
> <http://www.com> <http://www.com> -
> GoDaddy.com, Inc. of family
> cn=RSA,cn=encryption,cn=config
> (Netscape
> Portable Runtime error -8174 - security library:
> bad database.)
> [06/Jul/2015:19:59:16 +0800] - SSL failure: None
> of the
> cipher are valid
> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL
> Initialization
> phase 2 Failed.
>
>
>
>
>
>
>
More information about the Freeipa-users
mailing list