Hi,
On Tue, Jan 3, 2023 at 9:20 AM junhou he via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > I did not change anything in /etc/httpd/conf.d/ipa-pki-proxy.conf > # matches for REST API of CA, KRA, and PKI > <LocationMatch "^/(ca|kra|pki)/rest/"> > SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate > SSLVerifyClient optional > ProxyPassMatch ajp://localhost:8009 > secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG > ProxyPassReverse ajp://localhost:8009 > </LocationMatch> > > [root@wocfreeipa ~]# certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > WINGON.HK IPA CA CT,C,C > Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc. CT,C,C > Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc. CT,C,C > Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C > Server-Cert u,u,u > ^^ I'm surprised that your http cert is stored in /etc/httpd/alias. With IPA 4.9.8, httpd is using mod_ssl instead of mod_nss. The config file /etc/httpd/conf.d/ssl.conf should setup the following: SSLCertificateFile /var/lib/ipa/certs/httpd.crt SSLCertificateKeyFile /var/lib/ipa/private/httpd.key SSLCACertificateFile /etc/ipa/ca.crt instead of using /etc/httpd/conf.d/nss.conf with the NSS database. Do you have a config file /etc/httpd/conf.d/ssl.conf or /etc/httpd/conf.d/nss.conf? What is the output of "httpd -M"? The server cert seems to be a wildcard cert, can you flo > [root@wocfreeipa ~]# certutil -d /etc/httpd/alias/ -O -n Server-Cert > "Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc." > [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, > Inc.",C=US] > > "Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc." > [CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US] > > "Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc." > [CN=Go Daddy Secure Certificate Authority - G2,OU= > http://certs.godaddy.com/repository/,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US] > > "Server-Cert" [CN=*.wingon.hk] > > [root@wocfreeipa ~]# certutil -L -d /etc/dirsrv/slapd-WINGON-HK/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > CN=*.wingon.hk u,u,u > WINGON.HK IPA CA CT,C,C > OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, > Inc.,C=US C,, > CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US C,, > NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate > Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US C,, > [root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > caSigningCert cert-pki-ca CTu,Cu,Cu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > Server-Cert cert-pki-ca u,u,u > OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, > Inc.,C=US C,, > CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US C,, > NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate > Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US C,, > > I use ipa-cacert-manage install to add the external CA > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue