[Freeipa-users] Changing the SSL certificate for the WebUI
Rob Crittenden
rcritten at redhat.com
Mon Jun 22 12:40:05 UTC 2015
Prashant Bapat wrote:
> Hi Rob,
>
> Thanks for the reply.
>
> The ipa-server-certinstalldid require that I have the cert and the CA
> cert in PEM file and the key in another PEM file. And the command went
> thru successfully.
>
> But afterwards the HTTP service stopped working. Only way I could get it
> to start again was to set NSSEnforceValidCerts offin
> /etc/httpd/conf.d/nss.conf.
>
> Below is the error message from the logs.
>
> [Sun Jun 21 09:46:09.188241 2015] [:info] [pid 3803] Initializing SSL
> Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
> [Sun Jun 21 09:46:09.444378 2015] [:info] [pid 3803] Init: Seeding PRNG
> with 144 bytes of entropy
> [Sun Jun 21 09:46:09.444395 2015] [:info] [pid 3803] Init: Initializing
> (virtual) servers for SSL
> [Sun Jun 21 09:46:09.454700 2015] [:error] [pid 3803] SSL Library Error:
> -8102 Certificate key usage inadequate for attempted operation.
> [Sun Jun 21 09:46:09.454757 2015] [:error] [pid 3803] Unable to verify
> certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
> so the server can start until the problem can be resolved.
The error is that you are trying to use a certificate for SSL that
doesn't have the usage flags to allow being used as a server. The
nickname Signing-Cert suggests this is an object-signing cert. I'd
suggest using certutil to look at the NSS database in /etc/httpd/alias
to see what certs are installed and reconfigure mod_nss to use the
correct nickname.
> On the turning off SSL, I did try with what you are suggesting. A load
> balancer with the commercial CA and HTTPS from LB to the server behind
> it and it work! Only problem is, I will have to have have 1 each load
> balancer for each of the servers. This is because I used naming like
> ipa.example.com <http://ipa.example.com> and ipa2.example.com
> <http://ipa2.example.com> etc for the IPA servers. These are all
> replicas and their name has to match whats on the LB.
Why not get a 3rd party cert with multiple SAN, one for each IPA master?
rob
More information about the Freeipa-users
mailing list