[Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

Rob Crittenden rcritten at redhat.com
Wed Jun 1 13:54:58 UTC 2016 

Günther J. Niederwimmer wrote:
> Hello,
>
> Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:
>> Günther J. Niederwimmer wrote:
>>> Hello
>>> I found any Help for the IPA Certificate but I found no way to import the
>>> IPA CA ?
>>> I like to create a webserver with a owncloud virtualhost and other..
>>>
>>> But it is for me not possible to create the /etc/httpd/alias correct ?
>>>
>>> I found this in IPA DOCS
>>>
>>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
>>>
>>> but with this command line I have a Error /etc/ipa/ca.crt have wrong
>>> format ?
>>>
>>> Have any a link with a working example
>>
>> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
>> clients so the documentation is written from that perspective.
> Yes.
>
>> You can grab a copy from any enrolled system, including an IPA Master.
>> Otherwise the command looks ok assuming you were sitting in
>> /etc/httpd/alias when the command was executed (-d .).
>
> Yes ;-).
> but certutil mean it is a wrong format from the Certificate

$ mkdir /tmp/testdb && cd /tmp/testdb
$ certutil -N -d .
$ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
$ certutil -L -d .

Certificate Nickname                                         Trust 
Attributes
 
SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA                                           CT,,

I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You 
can use openssl for that:

$ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt

> Something is wrong on my system !!
>
> for me it is not possible to have on a enrolled ipa-client a working webserver
> (apache) with mod_NSS
>
> The last Tests apache mean it is the wrong "passwd" for the DB and don't
> start?
>
> So now I start again with a new clean /etc/httpd/alias

Not knowing how you created the database or what your nss.conf looks 
like it's hard to say what is going on. If you set a NSS database 
password then you need to tell mod_nss about it.

Typically you'd set this in nss.conf:

NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"

and create /etc/httpd/conf/password.conf with contents like:

internal:SecretPassword123

Ensure that the file is owned by apache:apache and mode 0400.

rob

More information about the Freeipa-users mailing list