[Freeipa-users] 3rd party Cert install now IPA total broken
Günther J. Niederwimmer
gjn at gjn.priv.at
Fri Sep 16 13:06:16 UTC 2016
Hello,
Freeipa 4.3.1
I have now install a 3rd Party Certificat from Startcom now my IPA is total
broken?
I make this
ipa-cacert-manage -p 'xxxxxxxxxxxxxxxx' -n STARTCOM-ROOT -t C,, install
root.crt
ipa-certupdate
ipa-server-certinstall -w -d ipa_3rd_ca.p12
I create this p12 with key.pem, cert.pem root.crt
I insert also in the cert.pem the intermediate.crt
the kerberos don't start anymore ?
The Error Is
Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm
'4GJN.COM'
after insert in nss.conf
"NSSEnforceValidCerts off"
ipactl restart is starting (?) but
ipactl status tell me
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
with certutil -d /etc/httpd/alias -L I have now this
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
4GJN_CA_FILE u,u,u
ipaCert u,u,u
4GJN.COM IPA CA CT,C,C
STARTCOM-ROOT C,,
I can Insert in nss.conf by the
#NSSNickname "Signing-Cert" original
or
NSSNickname 4GJN_CA_FILE but all is now broken ?
I also add this, found in Bugzilla
certutil -d /var/lib/pki/pki-tomcat/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
STARTCOM-ROOT CT,,
this is created in the
certutil -d /etc/dirsrv/slapd-4GJN.COM -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
4GJN_CA_FILE u,u,u
4GJN.COM IPA CA CT,C,C
STARTCOM-ROOT C,,
Can any help a little, please ;-)
The bad Problem, I tested this with my master server with DNS / DNSSEC I can't
new install (DNSSEC Keys)
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
More information about the Freeipa-users
mailing list