Ian Pilcher via FreeIPA-users wrote: > On 06/20/2017 11:38 PM, Ian Pilcher wrote: >> If I don't specify the SSL_DIR, the curl command works, so it >> definitely seems to be an issue with the NSS database in >> /etc/httpd/alias. I don't see anything obviously wrong with the trust >> flags, though: >> >> # certutil -d /etc/httpd/alias -L >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> Server-Cert u,u,u >> ipaCert u,u,u >> PENURIO.US IPA CA CT,C,C >> Let's Encrypt Authority X3 - Digital Signature Trust Co. ,, >> www.penurio.us u,u,u >> > > Trial and error for the win! > > It seems as if the NSS database in /etc/httpd/alias had become subtly > corrupted, so that the trust flags shown by certutil for the CA > certificate were not accurate. > > After clearing (-t ',,') and resetting (-t 'C,C,C') the trust flags, > curl works, and certmonger has renewed my expired certificates. > > That was not fun. >
Well, I'm glad it's working, but I'm confused by your setup. Are you still using the Apache Server-Cert or are you using the Let's Encrypt cert? If the latter then you should disable tracking on Server-Cert. Off the top of my head I can't think of any issues it might cause but it is very possible some IPA renewal script dropped the trust on the Let's Encrypt CA since it isn't in the chain of the Server-Cert (or ipaCert). rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org