[Freeipa-users] 3rd Party http certs breaking Apache
Rob Crittenden
rcritten at redhat.com
Wed Oct 12 17:57:16 UTC 2016
Joshua Ruybal wrote:
> Hi,
>
> I'm trying to add 3rd party certs for the webgui and ldap as documented
> here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> I'm able to add the CA cert.
>
> Then add the chained cert and key via ipa-server-certinstall tool.
> However when I try to restart httpd, it fails and I get the following
> error in the logs.
>
>
> [Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232:
> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init:
> (ipa-test.example.com:443 <http://ipa-test.example.com:443>) You
> configured HTTP(80) on the standard HTTPS(443) port!
> [Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598]
> NSSSessionCacheTimeout is deprecated. Ignoring.
> [Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error:
> -8102 Certificate key usage inadequate for attempted operation.
> [Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify
> certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
> so the server can start until the problem can be resolved.
>
>
> I've looked into the key, but everything seems to work as expected.
>
> Has anyone seen this before?
>
> Environment:
> IPA VERSION: 4.2.0, API_VERSION: 2.156
> CentOS 7.2
You set NSSNickname to Signing-Cert? What is the nickname of the cert
you imported?
# certutil -L -d /etc/httpd/alias
rob
More information about the Freeipa-users
mailing list