[Freeipa-users] Unable to access to web ui

Rob Crittenden rcritten at redhat.com
Fri Jun 3 17:09:10 UTC 2016 

seli irithyl wrote:
> Yes, you're right, I was also surprised by the subject of the error.
> I made changes in the /etc/httpd/conf.d/nss.conf file.
> I changed
> Listen 443 to Listen 8443
> and
> <VirtualHost _default_:443> to <VirtualHost _default_:8443>
> as it was in the /etc/httpd/conf.d/nss.conf file before the update.

You have to change it back. mod_nss must listen on 443.

rob

>
> On Fri, Jun 3, 2016 at 3:30 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     seli irithyl wrote:
>
>         # getcert list
>         returns 9 request ID. All 9 are in status "MONITORING" and
>         expire after
>         2017.
>         So no expired certificate.
>
>         Number of certificates and requests being tracked: 9.
>
>     [snip]
>
>         Request ID '20150313092456':
>               status: MONITORING
>               stuck: no
>               key pair storage:
>         type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>         Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>               certificate:
>         type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>         Certificate DB'
>               CA: IPA
>               issuer: CN=Certificate Authority,O=BIOINF.LOCAL
>               subject: CN=lead.bioinf.local,O=BIOINF.LOCAL
>               expires: 2017-03-13 09:24:56 UTC
>               key usage:
>         digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>               eku: id-kp-serverAuth,id-kp-clientAuth
>               pre-save command:
>               post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>               track: yes
>               auto-renew: yes
>
>
>     [ more snip ]
>
>              > Unfortunately when trying to run any ipa command:
>              > [root at lead ~]# ipa service-find lead.bioinf.local
>              > ipa: ERROR: cert validation failed for
>              >
>         "E=root at lead.bioinf.local,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--"
>              > ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.)
>              > ipa: ERROR: cannot connect to
>         'https://lead.bioinf.local/ipa/json':
>              > (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.
>
>
>     Note that the subject of the certmonger-tracked certificate is
>     different from the subject reported in the error. This looks like a
>     default mod_ssl-generated certificate to me. Did you tweak your
>     Apache config?
>
>     rob
>
>

More information about the Freeipa-users mailing list