[Freeipa-users] The 3rd party cert for IPA Web GUI
Petr Vobornik
pvoborni at redhat.com
Fri Aug 26 11:36:01 UTC 2016
On 08/23/2016 10:25 PM, Z D wrote:
> Hi there, is it possible to have a cert (say from VeriSign) for a IPA host and
> use it for httpd (Web GUI), without breaking anything else? I've acquired one
> and added it to nssdb (/etc/httpd/alias).
>
>
> # certutil -L -d /etc/httpd/alias
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
> ipaCert u,u,u
> Server-Cert u,u,u
> COMP.COM IPA CA CT,C,C
> Signing-Cert u,u,u
> CA-LDAP01-CHAINED u,u,u
> Comp SSL CA - G2 - VeriSign, Inc. ,,
>
>
> It's now used in /etc/httpd/conf.d/nss.conf and the cert looks good via a
> browser. But it's breaking something, since I see this:
>
> # ipa user-show admin
> ipa: ERROR: cert validation failed for
> "CN=ca-ldap01.comp.com,OU=Corp,O=Corporation,L=City,ST=California,C=US"
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
> trusted by the user.)
> ipa: ERROR: cannot connect to 'https://ca-ldap01.comp.com/ipa/json':
> (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
> trusted by the user.
>
>
> Adding this cert to /etc/dirsrv/slapd-CORP-COM/ nssdb didn't resolve the issue.
> Thanks for any advice.
>
> Zarko
>
>
>
The recommended procedure is to use ipa-server-certinall utility:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
But in recent versions of Fedora and RHEL it still suffers from
https://bugzilla.redhat.com/show_bug.cgi?id=1360813 The bugzilla nicely
outlines the necessary manual workarounds.
--
Petr Vobornik
More information about the Freeipa-users
mailing list