On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote: > Hi, As state in https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-... > > I cannot login in FreeIPA web page. > > So I update CA by : > > # delete everything except IPA CA of httpd and dirsrv > > certutil -d /etc/http/alias -D -n 'xxx' > > # ca-bundle.crt is 3 files named USERTrust, .etc. > > # server.all is an combination of my certificate signed by Sectigo( fomerly named Comodo). > > openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all -out Server-Cert.p12 -name "Server-Cert" > > # add to httpd and dirsrv. > > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert > > I restart all services by ipactl restart. But it seems pki-tomcat fails to startup. > > #### log of ipactcl start #### > > Starting pki-tomcatd Service > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl start pki-tomcatd.target > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: request POST http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus > ipa: DEBUG: request body '' > ipa: DEBUG: response status 500 > ipa: DEBUG: response headers Server: Apache-Coyote/1.1 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 2208 > Date: Wed, 17 Jun 2020 09:13:19 GMT > Connection: close > > ipa: DEBUG: response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-s > ...... > > ipa: DEBUG: Failed to check CA status: Retrieving CA status failed with status 500 > ipa: DEBUG: Waiting until the CA is running > > #### END of log ##### > > > Here is log of pki-tomcat > > ### > Internal Database Error encountered: Could not connect to LDAP server host wocfreeipa.sap.wingon.hk port 636 Error netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been marked as not trusted by the user. (-1) > > ### > > The point is ' Peer's certificate issuer has been marked as not trusted by the user.' As far as I know pki-tomcat needs a certificate to bind to 389 DS and store information. > > But I didn't touch CA named 'IPA CA', so basically pki-tomcatd could use its own certificate named 'substemCert cert-pki-ca' to bind to 389 DS. > > Please help. Hi, the new CA certs from Sectigo need to be installed with ipa-cacert-manage install (the command uploads the certs in the LDAP database). For more information, please refer to "Installing a CA Certificate Manually" [1]. As the chain contains multiple certs, you need to start from the root cert then go down the chain. When all the certs have been added, don't forget to run ipa-certupdate on all the IPA hosts (the command downloads the certs from LDAP and puts them in all the NSSDBs that need them). HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... > > Thanks a lot. > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >

[root@wocfreeipa ~]# export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias   [root@wocfreeipa ~]# [root@wocfreeipa ~]# export LDAPTLS_CERT='subsystemCert cert-pki-ca' [root@wocfreeipa ~]#  grep internal /etc/pki/pki-tomcat/password.conf internal=3Tm~ofzwXXXXXXXXXXXX [root@wocfreeipa ~]# ldapsearch -H ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL Please enter pin, password, or pass phrase for security token 'ldap(0)': SASL/EXTERNAL authentication started SASL username: cn=CA Subsystem,o=SAP.WINGON.HK <http://SAP.WINGON.HK> SASL SSF: 0 # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: objectClass: top namingContexts: cn=changelog namingContexts: dc=sap,dc=wingon,dc=hk namingContexts: o=ipaca supportedExtension: 1.3.6.1.4.1.4203.1.11.3 。。。。。。 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 It seems the connection  established by Dogtag to  389 DS is correct. But why dogtag complained " */Peer's certificate issuer has been marked as not trusted by the user./* ? Weird.

On Thu, Jun 18, 2020 at 9:31 AM luckydog xf <luckydogxf(a)gmail.com <mailto:luckydogxf@gmail.com>> wrote: The sad thing is that CA is expired on May 30, 2020. My IPA cannot login in. So I used certutil to remove old CAs. Here are steps I used. Unfortunately, I didn't try the step you mentioned. 1. certutil -d /etc/http/alias -D -n Server-Cert     certutil -d /etc/http/alias -D -n  < Other CAs of Comodo> 2. Do the same thing against /etc/dirsrv/slapd-xxx 3. Add new certs and CAs by: cat server.key server.crt > server.all openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all -out Server-Cert.p12 -name "Server-Cert" pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert 4. iptacl restart -f -d shows pki-tomcatd cannot start. --------- Internal Database Error encountered:_Could not connect to LDAP server host wocfreeipa.sap.wingon.hk <http://wocfreeipa.sap.wingon.hk> port 636 _Error netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) */Peer's certificate issuer has been marked as not trusted by the user./* (-1) So what's wrong ? ------------- On Wed, Jun 17, 2020 at 10:34 PM Florence Blanc-Renaud <flo(a)redhat.com <mailto:flo@redhat.com>> wrote: On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote: > Hi, As state in https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-... > > I cannot login in FreeIPA web page. > > So I update CA by : > > # delete everything except IPA CA  of httpd and dirsrv > > certutil -d /etc/http/alias -D -n 'xxx' > > # ca-bundle.crt is 3 files named USERTrust, .etc. > > # server.all is an combination of my certificate signed by Sectigo( fomerly named Comodo). > > openssl pkcs12 -export -chain -CAfile ca-bundle.crt  -in server.all  -out Server-Cert.p12 -name "Server-Cert" > > # add to httpd and dirsrv. > >   pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert > > I restart all services by ipactl restart. But it seems pki-tomcat fails to startup. > > #### log of ipactcl start #### > > Starting pki-tomcatd Service > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl start pki-tomcatd.target > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: request POST http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus > ipa: DEBUG: request body '' > ipa: DEBUG: response status 500 > ipa: DEBUG: response headers Server: Apache-Coyote/1.1 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 2208 > Date: Wed, 17 Jun 2020 09:13:19 GMT > Connection: close > > ipa: DEBUG: response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-s > ...... > > ipa: DEBUG: Failed to check CA status: Retrieving CA status failed with status 500 > ipa: DEBUG: Waiting until the CA is running > > #### END of log ##### > > > Here is log of pki-tomcat > > ### > Internal Database Error encountered: Could not connect to LDAP server host wocfreeipa.sap.wingon.hk <http://wocfreeipa.sap.wingon.hk> port 636 Error netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been marked as not trusted by the user. (-1) > > ### > > The point is ' Peer's certificate issuer has been marked as not trusted by the user.'   As far as I know pki-tomcat needs a certificate to bind to 389 DS and store information. > > But I didn't touch CA named 'IPA CA',  so basically pki-tomcatd could use its own certificate named 'substemCert cert-pki-ca' to bind to 389 DS. > > Please help. Hi, the new CA certs from Sectigo need to be installed with ipa-cacert-manage install (the command uploads the certs in the LDAP database). For more information, please refer to "Installing a CA Certificate Manually" [1]. As the chain contains multiple certs, you need to start from the root cert then go down the chain. When all the certs have been added, don't forget to run ipa-certupdate on all the IPA hosts (the command downloads the certs from LDAP and puts them in all the NSSDBs that need them). HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... > > Thanks a lot. > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

Got it, thanks! I add CA certs of Sectigo one by one to /etc/pki/pki-tomcat/alias/, now it works. Another thing, please confirm my statement below correct or not ------- I changed Server-Cert to Sectigo's signed one (NOT Self-signed), so when dog-tag tries to connect to 389 DS, it would check 389 DS certificate (Server-Cert), meanwhile it also needs a CA to verify server-Cert. My problem is that when dog-tat check its NSSDB( /etc/pki/pki-tomcat/alias/ ), there is no CA of Sectigo available to verify. So it complains: *Peer's certificate issuer has been marked as not trusted by the user.* ------ Does my understanding correct or not ? Appreciate your help. On Thu, Jun 18, 2020 at 3:37 PM Florence Blanc-Renaud <flo(a)redhat.com&gt; wrote: > On 6/18/20 6:06 AM, luckydog xf via FreeIPA-users wrote: > > [root@wocfreeipa ~]# export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias > > > > [root@wocfreeipa ~]# > > > > [root@wocfreeipa ~]# export LDAPTLS_CERT='subsystemCert cert-pki-ca' > > > > [root@wocfreeipa ~]# grep internal /etc/pki/pki-tomcat/password.conf > > internal=3Tm~ofzwXXXXXXXXXXXX > > > > [root@wocfreeipa ~]# ldapsearch -H ldaps://`hostname`:636 -b "" -s > base > > -Y EXTERNAL > > Please enter pin, password, or pass phrase for security token 'ldap(0)': > > > > SASL/EXTERNAL authentication started > > SASL username: cn=CA Subsystem,o=SAP.WINGON.HK <http://SAP.WINGON.HK> > > SASL SSF: 0 > > # extended LDIF > > # > > # LDAPv3 > > # base <> with scope baseObject > > # filter: (objectclass=*) > > # requesting: ALL > > # > > > > # > > dn: > > objectClass: top > > namingContexts: cn=changelog > > namingContexts: dc=sap,dc=wingon,dc=hk > > namingContexts: o=ipaca > > supportedExtension: 1.3.6.1.4.1.4203.1.11.3 > > 。。。。。。 > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > > > It seems the connection established by Dogtag to 389 DS is correct. > > But why dogtag complained " > > > > */Peer's certificate issuer has been marked as not trusted by the > user./* > > ? > > Weird. > Hi, > Dogtag has its own NSSDB and each of the sectigo CA certs need to be > present there, too: > $ certutil -A -d /etc/pki/pki-tomcat/alias -n <nick> -t CT,C,C -a -i > cert.pem > > HTH, > flo > > > > On Thu, Jun 18, 2020 at 9:31 AM luckydog xf <luckydogxf(a)gmail.com > > <mailto:luckydogxf@gmail.com>> wrote: > > > > The sad thing is that CA is expired on May 30, 2020. My IPA cannot > > login in. > > > > So I used certutil to remove old CAs. Here are steps I used. > > Unfortunately, I didn't try the step you mentioned. > > > > 1. certutil -d /etc/http/alias -D -n Server-Cert > > certutil -d /etc/http/alias -D -n < Other CAs of Comodo> > > > > 2. Do the same thing against /etc/dirsrv/slapd-xxx > > > > 3. Add new certs and CAs by: > > > > cat server.key server.crt > server.all > > > > openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all > > -out Server-Cert.p12 -name "Server-Cert" > > > > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert > > > > 4. iptacl restart -f -d shows pki-tomcatd cannot start. > > --------- > > Internal Database Error encountered:_Could not connect to LDAP > > server host wocfreeipa.sap.wingon.hk > > <http://wocfreeipa.sap.wingon.hk> port 636 _Error > > netscape.ldap.LDAPException: Unable to create socket: > > org.mozilla.jss.ssl.SSLSocketException: > > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: > > (-8172) */Peer's certificate issuer has been marked as not trusted > > by the user./* (-1) > > > > So what's wrong ? > > > > > > ------------- > > > > > > > > On Wed, Jun 17, 2020 at 10:34 PM Florence Blanc-Renaud > > <flo(a)redhat.com <mailto:flo@redhat.com>> wrote: > > > > On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote: > > > Hi, As state in > > > https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-... > > > > > > I cannot login in FreeIPA web page. > > > > > > So I update CA by : > > > > > > # delete everything except IPA CA of httpd and dirsrv > > > > > > certutil -d /etc/http/alias -D -n 'xxx' > > > > > > # ca-bundle.crt is 3 files named USERTrust, .etc. > > > > > > # server.all is an combination of my certificate signed by > > Sectigo( fomerly named Comodo). > > > > > > openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in > > server.all -out Server-Cert.p12 -name "Server-Cert" > > > > > > # add to httpd and dirsrv. > > > > > > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n > Server-Cert > > > > > > I restart all services by ipactl restart. But it seems > > pki-tomcat fails to startup. > > > > > > #### log of ipactcl start #### > > > > > > Starting pki-tomcatd Service > > > ipa: DEBUG: Starting external process > > > ipa: DEBUG: args=/bin/systemctl start pki-tomcatd.target > > > ipa: DEBUG: Process finished, return code=0 > > > ipa: DEBUG: request POST > > http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus > > > ipa: DEBUG: request body '' > > > ipa: DEBUG: response status 500 > > > ipa: DEBUG: response headers Server: Apache-Coyote/1.1 > > > Content-Type: text/html;charset=utf-8 > > > Content-Language: en > > > Content-Length: 2208 > > > Date: Wed, 17 Jun 2020 09:13:19 GMT > > > Connection: close > > > > > > ipa: DEBUG: response body '<html><head><title>Apache > > Tomcat/7.0.76 - Error report</title><style><!--H1 > > {font-family:Tahoma,Arial,sans-s > > > ...... > > > > > > ipa: DEBUG: Failed to check CA status: Retrieving CA status > > failed with status 500 > > > ipa: DEBUG: Waiting until the CA is running > > > > > > #### END of log ##### > > > > > > > > > Here is log of pki-tomcat > > > > > > ### > > > Internal Database Error encountered: Could not connect to > > LDAP server host wocfreeipa.sap.wingon.hk > > <http://wocfreeipa.sap.wingon.hk> port 636 Error > > netscape.ldap.LDAPException: Unable to create socket: > > org.mozilla.jss.ssl.SSLSocketException: > > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake > > failed: (-8172) Peer's certificate issuer has been marked as not > > trusted by the user. (-1) > > > > > > ### > > > > > > The point is ' Peer's certificate issuer has been marked as > > not trusted by the user.' As far as I know pki-tomcat needs a > > certificate to bind to 389 DS and store information. > > > > > > But I didn't touch CA named 'IPA CA', so basically > > pki-tomcatd could use its own certificate named 'substemCert > > cert-pki-ca' to bind to 389 DS. > > > > > > Please help. > > Hi, > > > > the new CA certs from Sectigo need to be installed with > > ipa-cacert-manage install (the command uploads the certs in the > > LDAP > > database). For more information, please refer to "Installing a > CA > > Certificate Manually" [1]. > > As the chain contains multiple certs, you need to start from the > > root > > cert then go down the chain. When all the certs have been added, > > don't > > forget to run ipa-certupdate on all the IPA hosts (the command > > downloads > > the certs from LDAP and puts them in all the NSSDBs that need > them). > > > > HTH, > > flo > > > > [1] > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... > > > > > > > > Thanks a lot. > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > > freeipa-users(a)lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > To unsubscribe send an email to > > freeipa-users-leave(a)lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > >

On 6/18/20 10:37 AM, luckydog xf via FreeIPA-users wrote: > One more questions, > > In this thread > ( https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...) > you mentioned that > > subsystemCert cert-pki-ca would map to pkidbuser. > > So the process is that dog-tag uses cert-pki-ca to establish a > connection to 389 DS , and 389 DS would use pkidbuser to bind and do > LDAP queries and other thing. ? > Yes, that's right. The connection between dogtag and 389-ds is using SASL External authentication, meaning that dogtag provides a certificate and 389-ds maps this certificate to a DN. You can find more information in "Using certificate-based client authentication" [1] in 389-ds doc. [1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/11... > Thanks for your help. > > > > > On Thu, Jun 18, 2020 at 4:26 PM luckydog xf <luckydogxf(a)gmail.com > <mailto:luckydogxf@gmail.com>> wrote: > > Got it, thanks! > > I add CA certs of Sectigo one by one to /etc/pki/pki-tomcat/alias/, > now it works. > > Another thing, please confirm my statement below correct or not > > ------- > > I changed Server-Cert to Sectigo's signed one (NOT Self-signed), so > when dog-tag tries to connect to 389 DS, it would check 389 DS > certificate (Server-Cert), meanwhile it also needs a CA to verify > server-Cert. > > My problem is that when dog-tat check its NSSDB( > /etc/pki/pki-tomcat/alias/ ), there is no CA of Sectigo available > to verify. So it complains: > > */Peer's certificate issuer has been marked as not trusted by the > user./* > > ------ > > Does my understanding correct or not ? Yes, that's right. The client (dogtag) needs to trust the server cert (389-ds cert). As the server cert is issued by sectigo, adding the sectigo CA certs in /etc/pki/pki-tomcat/alias with the right flags fixes the trust problem. flo > > Appreciate your help. > > > On Thu, Jun 18, 2020 at 3:37 PM Florence Blanc-Renaud > <flo(a)redhat.com <mailto:flo@redhat.com>> wrote: > > On 6/18/20 6:06 AM, luckydog xf via FreeIPA-users wrote: > > [root@wocfreeipa ~]# export > LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias > > > > [root@wocfreeipa ~]# > > > > [root@wocfreeipa ~]# export LDAPTLS_CERT='subsystemCert > cert-pki-ca' > > > > [root@wocfreeipa ~]# grep internal > /etc/pki/pki-tomcat/password.conf > > internal=3Tm~ofzwXXXXXXXXXXXX > > > > [root@wocfreeipa ~]# ldapsearch -H ldaps://`hostname`:636 -b > "" -s base > > -Y EXTERNAL > > Please enter pin, password, or pass phrase for security token > 'ldap(0)': > > > > SASL/EXTERNAL authentication started > > SASL username: cn=CA Subsystem,o=SAP.WINGON.HK > <http://SAP.WINGON.HK> <http://SAP.WINGON.HK> > > SASL SSF: 0 > > # extended LDIF > > # > > # LDAPv3 > > # base <> with scope baseObject > > # filter: (objectclass=*) > > # requesting: ALL > > # > > > > # > > dn: > > objectClass: top > > namingContexts: cn=changelog > > namingContexts: dc=sap,dc=wingon,dc=hk > > namingContexts: o=ipaca > > supportedExtension: 1.3.6.1.4.1.4203.1.11.3 > > 。。。。。。 > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > > > It seems the connection established by Dogtag to 389 DS is > correct. > > But why dogtag complained " > > > > */Peer's certificate issuer has been marked as not trusted by > the user./* > > ? > > Weird. > Hi, > Dogtag has its own NSSDB and each of the sectigo CA certs need > to be > present there, too: > $ certutil -A -d /etc/pki/pki-tomcat/alias -n <nick> -t CT,C,C > -a -i > cert.pem > > HTH, > flo > > > > On Thu, Jun 18, 2020 at 9:31 AM luckydog xf > <luckydogxf(a)gmail.com <mailto:luckydogxf@gmail.com> > > <mailto:luckydogxf@gmail.com <mailto:luckydogxf@gmail.com>>> > wrote: > > > > The sad thing is that CA is expired on May 30, 2020. My > IPA cannot > > login in. > > > > So I used certutil to remove old CAs. Here are steps I used. > > Unfortunately, I didn't try the step you mentioned. > > > > 1. certutil -d /etc/http/alias -D -n Server-Cert > > certutil -d /etc/http/alias -D -n < Other CAs of > Comodo> > > > > 2. Do the same thing against /etc/dirsrv/slapd-xxx > > > > 3. Add new certs and CAs by: > > > > cat server.key server.crt > server.all > > > > openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in > server.all > > -out Server-Cert.p12 -name "Server-Cert" > > > > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n > Server-Cert > > > > 4. iptacl restart -f -d shows pki-tomcatd cannot start. > > --------- > > Internal Database Error encountered:_Could not connect to > LDAP > > server host wocfreeipa.sap.wingon.hk > <http://wocfreeipa.sap.wingon.hk> > > <http://wocfreeipa.sap.wingon.hk> port 636 _Error > > netscape.ldap.LDAPException: Unable to create socket: > > org.mozilla.jss.ssl.SSLSocketException: > > org.mozilla.jss.ssl.SSLSocketException: > SSL_ForceHandshake failed: > > (-8172) */Peer's certificate issuer has been marked as > not trusted > > by the user./* (-1) > > > > So what's wrong ? > > > > > > ------------- > > > > > > > > On Wed, Jun 17, 2020 at 10:34 PM Florence Blanc-Renaud > > <flo(a)redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > > > On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote: > > > Hi, As state in > > > https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-... > > > > > > I cannot login in FreeIPA web page. > > > > > > So I update CA by : > > > > > > # delete everything except IPA CA of httpd and dirsrv > > > > > > certutil -d /etc/http/alias -D -n 'xxx' > > > > > > # ca-bundle.crt is 3 files named USERTrust, .etc. > > > > > > # server.all is an combination of my certificate > signed by > > Sectigo( fomerly named Comodo). > > > > > > openssl pkcs12 -export -chain -CAfile > ca-bundle.crt -in > > server.all -out Server-Cert.p12 -name "Server-Cert" > > > > > > # add to httpd and dirsrv. > > > > > > pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ > -n Server-Cert > > > > > > I restart all services by ipactl restart. But it seems > > pki-tomcat fails to startup. > > > > > > #### log of ipactcl start #### > > > > > > Starting pki-tomcatd Service > > > ipa: DEBUG: Starting external process > > > ipa: DEBUG: args=/bin/systemctl start > pki-tomcatd.target > > > ipa: DEBUG: Process finished, return code=0 > > > ipa: DEBUG: request POST > > http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus > > > ipa: DEBUG: request body '' > > > ipa: DEBUG: response status 500 > > > ipa: DEBUG: response headers Server: Apache-Coyote/1.1 > > > Content-Type: text/html;charset=utf-8 > > > Content-Language: en > > > Content-Length: 2208 > > > Date: Wed, 17 Jun 2020 09:13:19 GMT > > > Connection: close > > > > > > ipa: DEBUG: response body '<html><head><title>Apache > > Tomcat/7.0.76 - Error report</title><style><!--H1 > > {font-family:Tahoma,Arial,sans-s > > > ...... > > > > > > ipa: DEBUG: Failed to check CA status: Retrieving > CA status > > failed with status 500 > > > ipa: DEBUG: Waiting until the CA is running > > > > > > #### END of log ##### > > > > > > > > > Here is log of pki-tomcat > > > > > > ### > > > Internal Database Error encountered: Could not > connect to > > LDAP server host wocfreeipa.sap.wingon.hk > <http://wocfreeipa.sap.wingon.hk> > > <http://wocfreeipa.sap.wingon.hk> port 636 Error > > netscape.ldap.LDAPException: Unable to create socket: > > org.mozilla.jss.ssl.SSLSocketException: > > org.mozilla.jss.ssl.SSLSocketException: > SSL_ForceHandshake > > failed: (-8172) Peer's certificate issuer has been > marked as not > > trusted by the user. (-1) > > > > > > ### > > > > > > The point is ' Peer's certificate issuer has been > marked as > > not trusted by the user.' As far as I know > pki-tomcat needs a > > certificate to bind to 389 DS and store information. > > > > > > But I didn't touch CA named 'IPA CA', so basically > > pki-tomcatd could use its own certificate named > 'substemCert > > cert-pki-ca' to bind to 389 DS. > > > > > > Please help. > > Hi, > > > > the new CA certs from Sectigo need to be installed with > > ipa-cacert-manage install (the command uploads the > certs in the > > LDAP > > database). For more information, please refer to > "Installing a CA > > Certificate Manually" [1]. > > As the chain contains multiple certs, you need to > start from the > > root > > cert then go down the chain. When all the certs have > been added, > > don't > > forget to run ipa-certupdate on all the IPA hosts > (the command > > downloads > > the certs from LDAP and puts them in all the NSSDBs > that need them). > > > > HTH, > > flo > > > > [1] > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... > > > > > > > > Thanks a lot. > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > > freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > > To unsubscribe send an email to > > freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- > freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >