[email protected] wrote: > I found the cause and remove the error. ...i used the bundle cert to > make the p12 file by official guide ...bnudle cert can use only even i > download another root ca cert of godday it fail says somelike local > chain error, > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > Anyway it really enter 3 entries A root CA , A sign CA , A server cert > ... BUT actaully the singer CA not present it is actually intermediate CERT. > I add it again by certutil then it error gone ...but still keeping the > 3 entries row ...no idea is the cert issue or not, > BTW i have another issue on web ui, when browsing service tag. i tried > to add all back of orginal IPA CA cert but doesnt help even remove..any > idea > ..??? > > Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. ,, > Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,C,C > Server-Cert ,, > *.abc.com <http://abc.com> - GoDaddy.com, > Inc. u,u,u > ABC.COM <http://ABC.COM> IPA > CA CT,C,C > ipaCert ,,
It is a different error, unrelated to trust. It looks like you don't have the private keys for Server-Cert and ipaCert. For Server-Cert it doesn't really matter since you're using your own, but ipaCert is required. I don't know if this is the cause of the error or something else. Hopefully you have a backup of the Apache database somewhere. You can use pk12util to export ipaCert out of that and import it into the current database. rob > Rgards > > 2014-03-31 22:39 GMT+08:00 <[email protected] <mailto:[email protected]>>: > > There are already godaddy class and class 2 cert in it i wonder why > the error still comess > > 2014/3/31 下午10:37 於 "Rob Crittenden" <[email protected] > <mailto:[email protected]>> 寫道: > > [email protected] <mailto:[email protected]> wrote: > > I follow the mAnual.using ipa cert install > > > > It will auto remove ipa cert after u insert godaddy . Should > i add them > > back? No.conflict? > > You only need to add in the CA. There will be no conflict. > > > 2)do.umeant ca root cert of godaddy ? Ialread try added any > ca root cert > > of godaddy the error still comes out > > You need to add the CA that issued the wildcard cert they gave you. > Typically there are one or more subordinate CAs that actually > issue the > certificates. > > rob > > > > > 2014/3/31 下午10:08 於 "Rob Crittenden" <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> 寫道: > > > > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> wrote: > > > > Dear all: > > I have succesfful impont certs to http and ldap but > some inssue > > arise. > > 1) when i click in service in the UI it still using > OLD entries > > of seld > > sign cert and given out error ...pls see attachment,. > > How to reflect the godaddy cert there and it cannot > be deleted .?? > > > > > > You're misreading this. The IPA CA is still installed and > has issued > > some certificates to some service (and probably hosts). > I'm guessing > > you removed the IPA CA certificate from /etc/httpd/alias. > You need > > to add it back to let IPA talk to its CA again. > > > > 2) when start up dirsrv it casue some warning out say: > > Starting dirsrv: > > ABS-COM...[31/Mar/2014:10:25:__59 +0800] - SSL > alert: > > CERT_VerifyCertificateNow: verify certificate > failed for cert > > *.wisers.com <http://wisers.com/> <http://wisers.com > <http://wisers.com/>> <http://wisers.com <http://wisers.com/>> - > > GoDaddy.com, Inc. of family > > cn=RSA,c n=encryption,cn=config (Netscape > Portable Runtime error > > -8172 - Peer's certificate iss uer has been > marked as not > > trusted by > > the user.) > > any where i should import again to skip the error and > realize > > the change > > no prompt out errors? > > > > > > You need to add the GoDaddy CA cert chain to the 389-ds cert > > database in /etc/dirsrv/slapd-ABS-COM/ > > > > rob > > > > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
