[Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
Rob Crittenden
rcritten at redhat.com
Wed Jun 1 13:54:58 UTC 2016
Günther J. Niederwimmer wrote:
> Hello,
>
> Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:
>> Günther J. Niederwimmer wrote:
>>> Hello
>>> I found any Help for the IPA Certificate but I found no way to import the
>>> IPA CA ?
>>> I like to create a webserver with a owncloud virtualhost and other..
>>>
>>> But it is for me not possible to create the /etc/httpd/alias correct ?
>>>
>>> I found this in IPA DOCS
>>>
>>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
>>>
>>> but with this command line I have a Error /etc/ipa/ca.crt have wrong
>>> format ?
>>>
>>> Have any a link with a working example
>>
>> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
>> clients so the documentation is written from that perspective.
> Yes.
>
>> You can grab a copy from any enrolled system, including an IPA Master.
>> Otherwise the command looks ok assuming you were sitting in
>> /etc/httpd/alias when the command was executed (-d .).
>
> Yes ;-).
> but certutil mean it is a wrong format from the Certificate
$ mkdir /tmp/testdb && cd /tmp/testdb
$ certutil -N -d .
$ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
$ certutil -L -d .
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,,
I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You
can use openssl for that:
$ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt
> Something is wrong on my system !!
>
> for me it is not possible to have on a enrolled ipa-client a working webserver
> (apache) with mod_NSS
>
> The last Tests apache mean it is the wrong "passwd" for the DB and don't
> start?
>
> So now I start again with a new clean /etc/httpd/alias
Not knowing how you created the database or what your nss.conf looks
like it's hard to say what is going on. If you set a NSS database
password then you need to tell mod_nss about it.
Typically you'd set this in nss.conf:
NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
and create /etc/httpd/conf/password.conf with contents like:
internal:SecretPassword123
Ensure that the file is owned by apache:apache and mode 0400.
rob
More information about the Freeipa-users
mailing list