[Freeipa-users] error after change cert
Rob Crittenden
rcritten at redhat.com
Tue Jul 7 14:22:10 UTC 2015
barrykfl at gmail.com wrote:
> Where is it ?
> Could u advise ?
> My old cert is godady
> And.new cert is combro
Please keep responses on the list.
$ ldapsearch -LLL -x -D 'cn=directory manager' -W -b
cn=RSA,cn=encryption,cn=config nsSSLPersonalitySSL
If the result doesn't match the nickname of your new cert then your
simplest solution is:
# ipactl stop
# <favorite editor> /etc/dirsrv/slapd-REALM/dse.ldif
Find nsSSLPersonalitySSL and replace the value with the right one.
# ipactl start
rob
> 2015年7月6日 下午11:52於 "Rob Crittenden" <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>寫道:
> >
> > barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
> >>
> >> Where can i check.the config of nss?
> >>
> >> I.modified the nssdb and imported.cert successfully.
> >>
> >> should i change any ldif?
> >
> >
> > I already told you in my initial reply:
> >
> >
> > Check the value of nsSSLPersonalitySSL in
> cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server
> certificate to use.
> >
> > rob
> >
> >>
> >> Many thks
> >>
> >> 2015年7月6日 下午11:44於 "Rob Crittenden" <rcritten at redhat.com
> <mailto:rcritten at redhat.com>
> >> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>寫道:
> >>
> >>
> >> barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>> wrote:
> >>
> >> Do u meant this :
> >>
> >> i already add the cert to nss and even \etc\ipa\ ca.cert
> repalced
> >>
> >>
> >> [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L
> >>
> >> Certificate Nickname
> Trust
> >> Attributes
> >>
> >> SSL,S/MIME,JAR/XPI
> >>
> >> COMODO RSA Domain Validation Secure Server CA
> CT,C,C
> >> IPA CA
> CT,C,C
> >> COMODO RSA Certification Authority
> CT,C,C
> >>
> >>
> >> This has no relationship to the error you're seeing. This database
> >> is not used by either Apache or 389-ds.
> >>
> >> NSS uses nicknames to reference a given certificate. This nickname
> >> needs to exist in it's database. I'm guessing that you changed the
> >> database, and therefore the nickname in the database, without also
> >> updating the server configuration with this new nickname.
> >>
> >> rob
> >>
> >>
> >>
> >> 2015-07-06 21:39 GMT+08:00 Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> >> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> >> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>>:
> >>
> >> barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> >>
> >> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>> wrote:
> >>
> >> the cert already in httpd / ldap side. but it
> prompt error
> >>
> >> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the
> >> cipher
> >> are valid
> >> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL
> >> Initialization phase 2
> >> Failed.
> >>
> >> *.wisers.com <http://wisers.com>
> <http://wisers.com> <http://wisers.com>
> >> <http://wisers.com> - COMODO CA
> >> Limited u,u,u
> >> COMODO RSA Domain Validation Secure Server CA
> >> CT,C,C
> >> COMODO RSA Certification Authority
> >> CT,C,C
> >>
> >>
> >> Taking a wild guess here due to limited information, but
> >> check the
> >> value of nsSSLPersonalitySSL in
> >> cn=RSA,cn=encryption,cn=config. This
> >> is the NSS nickname of the server certificate to use.
> >>
> >> rob
> >>
> >>
> >>
> >> 2015-07-06 20:01 GMT+08:00 <barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>
> >> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> >> <mailto:barrykfl at gmail.com
> <mailto:barrykfl at gmail.com> <mailto:barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>>>
> >> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>>
> >> <mailto:barrykfl at gmail.com
> <mailto:barrykfl at gmail.com> <mailto:barrykfl at gmail.com
> <mailto:barrykfl at gmail.com>>>>>:
> >>
> >>
> >> hi:
> >>
> >> i changed cert lareadty but seemit still keep
> >> hisoty of
> >> godadday any
> >> help.??
> >>
> >>
> >> www-COM...[06/Jul/2015:19:59:15 +0800] - SSL
> >> alert: Security
> >> Initialization: Can't find certificate (*.wwwcom -
> >> GoDaddy.com,
> >> Inc.) for family cn=RSA,cn=encryption,cn=config
> >> (Netscape
> >> Portable
> >> Runtime error -8174 - security library: bad
> database.)
> >> [06/Jul/2015:19:59:15 +0800] - SSL alert: Security
> >> Initialization:
> >> Unable to retrieve private key for cert
> *.www.com <http://www.com>
> >> <http://www.com>
> >> <http://www.com> <http://www.com> -
> >> GoDaddy.com, Inc. of family
> >> cn=RSA,cn=encryption,cn=config
> >> (Netscape
> >> Portable Runtime error -8174 - security library:
> >> bad database.)
> >> [06/Jul/2015:19:59:16 +0800] - SSL failure: None
> >> of the
> >> cipher are valid
> >> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL
> >> Initialization
> >> phase 2 Failed.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
>
More information about the Freeipa-users
mailing list