Yes, you're right, I was also surprised by the subject of the error. I made changes in the /etc/httpd/conf.d/nss.conf file. I changed Listen 443 to Listen 8443 and <VirtualHost _default_:443> to <VirtualHost _default_:8443> as it was in the /etc/httpd/conf.d/nss.conf file before the update.
On Fri, Jun 3, 2016 at 3:30 PM, Rob Crittenden <[email protected]> wrote: > seli irithyl wrote: > >> # getcert list >> returns 9 request ID. All 9 are in status "MONITORING" and expire after >> 2017. >> So no expired certificate. >> >> Number of certificates and requests being tracked: 9. >> > [snip] > >> Request ID '20150313092456': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=BIOINF.LOCAL >> subject: CN=lead.bioinf.local,O=BIOINF.LOCAL >> expires: 2017-03-13 09:24:56 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> > > [ more snip ] > >> > Unfortunately when trying to run any ipa command: >> > [root@lead ~]# ipa service-find lead.bioinf.local >> > ipa: ERROR: cert validation failed for >> > "[email protected] >> ,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--" >> > ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.) >> > ipa: ERROR: cannot connect to 'https://lead.bioinf.local/ipa/json': >> > (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid. >> > > Note that the subject of the certmonger-tracked certificate is different > from the subject reported in the error. This looks like a default > mod_ssl-generated certificate to me. Did you tweak your Apache config? > > rob >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
