Hi. I've tried to delete and reimport only the *Server-Cert* certificate (I've a copy of the original folder). But it happened a strange behaviour:
*# certutil -L -d /etc/httpd/alias -n Server-Cert -a > /tmp/Server-Cert.crt# certutil -D -d /etc/httpd/alias -n Server-Cert# certutil -L -d .Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPISigning-Cert u,u,uipaCert u,u,uIPA.PEDONGROUP.COM <http://IPA.PEDONGROUP.COM> IPA CA CT,C,C# certutil -A -d /etc/httpd/alias -n Server-Cert -t u,u,u -a -i /tmp/Server-Cert.crtNotice: Trust flag u is set automatically if the private key is present.p11-kit: objects of this type cannot be created# certutil -L -d /etc/httpd/aliasCertificate Nickname Trust Attributes SSL,S/MIME,JAR/XPISigning-Cert u,u,uipaCert u,u,uIPA.PEDONGROUP.COM <http://IPA.PEDONGROUP.COM> IPA CA CT,C,CServer-Cert Pu,u,u* What's the error message in bold? And why trust flags are set different from ones specified? Thanks, Morgan 2016-11-17 17:36 GMT+01:00 Morgan Marodin <mor...@marodin.it>: > Hi. > > I've upgraded all packages of my distribution, not only ipa packages. > There were a lot of packages. > > *[root@mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64* > > All other checks seem ok: > > > > > > > > > > > > *[root@mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n > Server-Certcertutil: certificate is valid[root@mlv-ipa01 ~]# > getseboolgetsebool: SELinux is disabled[root@mlv-ipa01 ~]# certutil -K -d > /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txtcertutil: Checking token > "NSS Certificate DB" in slot "NSS User Private Key and Certificate > Services"< 0> rsa 736... NSS Certificate DB:Server-Cert< 1> rsa > a4b... NSS Certificate DB:Signing-Cert< 2> rsa 0ff... NSS > Certificate DB:ipaCert* > > > *[root@mlv-ipa01 ~]# certutil -L -d /etc/httpd/alias/ -n Server-Cert | > egrep "Not Before|Not After" Not Before: Mon Sep 07 10:15:34 > 2015 Not After : Thu Sep 07 10:15:34 2017* > > Could it be a good idea to export and re-import all certs from > */etc/httpd/alias* folder? > > Thanks > > 2016-11-17 17:07 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > >> Morgan Marodin wrote: >> > Hi Rob. >> > >> > I've just tried to remove the group write to the *.db files, but it's >> > not the problem. >> >> I didn't expect it to be but you don't want Apache having write access >> to your certs and keys. >> >> > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf >> > NSSNickname Server-Cert/ >> >> Ok. >> >> > >> > I've tried to run manually /dirsrv.target/ and /krb5kdc.service/, and it >> > works, services went up. >> > The same for /ntpd/, /named-pkcs11.service/, /smb.service/, >> > /winbind.service/, /kadmin.service/, /memcached.service/ and >> > /pki-tomcatd.target/. >> >> Good, so you can limp along for a while then. >> >> > Any other ideas? >> >> So you upgraded. What did you actually upgrade? Only the IPA packages or >> a lot more? >> >> What version is running now, and what version of mod_nss? >> >> $ rpm -q mod_nss >> >> Let's see if the NSS tools can find the cert: >> >> # certutil -V -u V -d /etc/httpd/alias -n Server-Cert >> >> Should come back with: certutil: certificate is valid >> >> rob >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project