[Freeipa-users] 3rd Party http certs breaking Apache
Joshua Ruybal
jruybal at owneriq.com
Wed Oct 12 18:42:54 UTC 2016
Can confirm nss.conf has NSSNickname set to Signing-Cert.
I set the nickname of the Root CA issuing the 3rd party Certs to
"LetsEncrypt_X1"
On Wed, Oct 12, 2016 at 10:57 AM, Rob Crittenden <rcritten at redhat.com>
wrote:
> Joshua Ruybal wrote:
>
>> Hi,
>>
>> I'm trying to add 3rd party certs for the webgui and ldap as documented
>> here: https://www.freeipa.org/page/Using_3rd_part_certificates_for
>> _HTTP/LDAP
>>
>> I'm able to add the CA cert.
>>
>> Then add the chained cert and key via ipa-server-certinstall tool.
>> However when I try to restart httpd, it fails and I get the following
>> error in the logs.
>>
>>
>> [Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232:
>> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>> [Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init:
>> (ipa-test.example.com:443 <http://ipa-test.example.com:443>) You
>> configured HTTP(80) on the standard HTTPS(443) port!
>> [Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598]
>> NSSSessionCacheTimeout is deprecated. Ignoring.
>> [Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error:
>> -8102 Certificate key usage inadequate for attempted operation.
>> [Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify
>> certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
>> so the server can start until the problem can be resolved.
>>
>>
>> I've looked into the key, but everything seems to work as expected.
>>
>> Has anyone seen this before?
>>
>> Environment:
>> IPA VERSION: 4.2.0, API_VERSION: 2.156
>> CentOS 7.2
>>
>
> You set NSSNickname to Signing-Cert? What is the nickname of the cert you
> imported?
>
> # certutil -L -d /etc/httpd/alias
>
> rob
>
>
--
<http://www.owneriq.com/>
*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
e: jruybal at owneriq.com
<https://www.linkedin.com/company/owneriq-inc.>
<https://www.facebook.com/OwnerIQ> <https://twitter.com/owneriq>
<http://www.owneriq.com/blog/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161012/d4beee5c/attachment.htm>
More information about the Freeipa-users
mailing list