Benjamin Reed wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/23/11 12:02 PM, Simo Sorce wrote:
One thing you can test is if the ca.crt exposed via http is the same
that is stored on the server in /etc/ipa/ca.crt
they are identical, I did find that the errors file is complaining about
this:
[22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher AES
[22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have
been renewed since the key is wrapped. To recover the encrypted
contents, keep the wrapped symmetric key value.
[22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher 3DES
[22/Dec/2011:21:31:15 -0600] attrcrypt - attrcrypt_cipher_init:
symmetric key failed to unwrap with the private key; Cert might have
been renewed since the key is wrapped. To recover the encrypted
contents, keep the wrapped symmetric key value.
[22/Dec/2011:21:31:16 -0600] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
These are not related. IIRC 389-ds generates symmetric keys
automatically when it is first started and if you've replaced your NSS
cert db in the meantime those keys are not available. This would only be
a problem if you decided to use per-attribute encryption at some future
point.
You might want to try pulling the CA out of the DS instance and
comparing that to what is being served up by the HTTP server:
certutil -L -d /etc/dirsrv/slapd-INSTANCE to get the list of certs
This to get a specific cert
certutil -L -n 'some nickname' -d /etc/dirsrv/slapd-INSTANCE -a >
/tmp/dsca.crt
The error here is that the client doesn't trust the certificate that
389-ds is using.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
