On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: > We discussed this with Tomáš off-line and it turns out that > ipa-client-install fails if the CA cert is not added to > /etc/pki/nssdb. > > However, according to p11-kit docs it should work: > <http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html>. I > wonder what needs to be done to make it work in IPA...
On my system, there's no symlink to libnssckbi.so (or the right location in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that database isn't going to automatically pull in the list of trusted CAs that p11-kit maintains. Whether the database under /etc/pki/nssdb should automatically include the usual set of trust anchors is probably a different conversation. HTH, Nalin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel