[Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias
Günther J. Niederwimmer
gjn at gjn.priv.at
Sun Jun 19 10:30:32 UTC 2016
Hello Rob,
Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden:
> Günther J. Niederwimmer wrote:
> > Hello,
> >
> > Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:
> >> Günther J. Niederwimmer wrote:
> >>> Hello
> >>> I found any Help for the IPA Certificate but I found no way to import
> >>> the
> >>> IPA CA ?
> >>> I like to create a webserver with a owncloud virtualhost and other..
> >>>
> >>> But it is for me not possible to create the /etc/httpd/alias correct ?
> >>>
> >>> I found this in IPA DOCS
> >>>
> >>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
> >>>
> >>> but with this command line I have a Error /etc/ipa/ca.crt have wrong
> >>> format ?
> >>>
> >>> Have any a link with a working example
> >>
> >> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
> >> clients so the documentation is written from that perspective.
> >
> > Yes.
> >
> >> You can grab a copy from any enrolled system, including an IPA Master.
> >> Otherwise the command looks ok assuming you were sitting in
> >> /etc/httpd/alias when the command was executed (-d .).
> >
> > Yes ;-).
> > but certutil mean it is a wrong format from the Certificate
>
> $ mkdir /tmp/testdb && cd /tmp/testdb
> $ certutil -N -d .
> $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
On my system I have this message after install ca.crt
p11-kit: objects of this type cannot be created ?
is this correct ?
A other question, have I to change the Attribute (?), IPA-server create /
IMPORT this ca.crt with -t "CT,C,C"
> $ certutil -L -d .
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> EXAMPLE.COM IPA CA CT,,
>
> I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You
> can use openssl for that:
>
> $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt
>
> > Something is wrong on my system !!
> >
> > for me it is not possible to have on a enrolled ipa-client a working
> > webserver (apache) with mod_NSS
> >
> > The last Tests apache mean it is the wrong "passwd" for the DB and don't
> > start?
> >
> > So now I start again with a new clean /etc/httpd/alias
>
> Not knowing how you created the database or what your nss.conf looks
> like it's hard to say what is going on. If you set a NSS database
> password then you need to tell mod_nss about it.
>
> Typically you'd set this in nss.conf:
>
> NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
>
> and create /etc/httpd/conf/password.conf with contents like:
>
> internal:SecretPassword123
>
> Ensure that the file is owned by apache:apache and mode 0400.
This is the best INFO for this file ;-)
Thanks
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
More information about the Freeipa-users
mailing list