[Freeipa-users] Changing the SSL certificate for the WebUI

Sun Jun 21 04:25:10 UTC 2015

Hi Rob,

Thanks for the reply.

The ipa-server-certinstall did require that I have the cert and the CA cert
in PEM file and the key in another PEM file. And the command went thru
successfully.

But afterwards the HTTP service stopped working. Only way I could get it to
start again was to set NSSEnforceValidCerts off in
/etc/httpd/conf.d/nss.conf.

Below is the error message from the logs.

[Sun Jun 21 09:46:09.188241 2015] [:info] [pid 3803] Initializing SSL
Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Sun Jun 21 09:46:09.444378 2015] [:info] [pid 3803] Init: Seeding PRNG
with 144 bytes of entropy
[Sun Jun 21 09:46:09.444395 2015] [:info] [pid 3803] Init: Initializing
(virtual) servers for SSL
[Sun Jun 21 09:46:09.454700 2015] [:error] [pid 3803] SSL Library Error:
-8102 Certificate key usage inadequate for attempted operation.
[Sun Jun 21 09:46:09.454757 2015] [:error] [pid 3803] Unable to verify
certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be resolved.

On the turning off SSL, I did try with what you are suggesting. A load
balancer with the commercial CA and HTTPS from LB to the server behind it
and it work! Only problem is, I will have to have have 1 each load balancer
for each of the servers. This is because I used naming like ipa.example.com
and ipa2.example.com etc for the IPA servers. These are all replicas and
their name has to match whats on the LB.

Thanks again!
--Prashant

On 21 June 2015 at 01:51, Rob Crittenden <rcritten at redhat.com> wrote:

> Prashant Bapat wrote:
>
>> I tried the steps documented on a test VM. Looks like I ended up in the
>> situation described here
>> https://www.redhat.com/archives/freeipa-users/2012-January/msg00045.html.
>>
>
> Please be careful when pointing back at old threads. This issue was about
> expired certs. I suspect you found it because of a similar error message,
> but the underlying cause is completely unrelated.
>
> You probably just need to add in the CA cert that issued the server
> certificate. I'd have thought that ipa-server-certinstall would enforce
> that but perhaps not.
>
>  I have one more question. Is there a way to disable HTTPS completely on
>> the WebUI. I can add HTTPS on a load balancer in front of the UI to
>> handle SSL.
>>
>
> It would be a rather terrible idea. You'd still have a lot of in-the-clear
> messaging between the IPA web server and the load balancer. I wouldn't
> recommend that there are real replay issues possible. You should
> re-encrypt, so terminate SSL at the load balancer and then open a new SSL
> session to IPA.
>
> rob
>
>
>>
>>
>> On 18 June 2015 at 19:03, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>>     Prashant Bapat wrote:
>>
>>         Hi All,
>>
>>         There is a way to change the certificate for the web UI.
>>
>>         I went with a standard install with a self signed CA etc. Now I
>>         want to
>>         install a cert from a commercial CA. I don't mind using the IPA
>>         CA certs
>>         for the 389 DS, just want to change the cert for the UI.
>>
>>         Any pointers on how to do this ?
>>
>>
>>     http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150621/329ebb92/attachment.htm>