On Wed, Mar 18, 2020 at 10:42:52AM -0000, Hristina Marosevic wrote: > > On Tue, Mar 17, 2020 at 02:17:06PM -0000, Hristina Marosevic wrote: > > > > Hi, > > > > about 'certificate_verification = no_verification', there is an issue > > which was fixed by > > https://pagure.io/SSSD/sssd/c/31ebf912d6426aea446b2bdae919d4e33b0c95be > > but the fix is not in the build you are using. So better continue with > > 'certificate_verification = no_ocsp'. > > > > > > Please add all CA certificates to the NSS database /etc/pki/nssdb with > > the help of the certutil command: > > > > certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d > > /etc/pki/nssdb > > > > each CA certificate should get an individual nickname. If your > > CA_cert_file is in PEM format (with BEGIN CERTIFICATE and END > > CERTIFICATE lines) you might need to add a '-a' option as well. > > > > If there are still issues please send the strace output. > > > > HTH > > > > bye, > > Sumit > > > Hello, > > I just tried to add the certificates (intermediate and root CA) to the > database and I got the error: "certutil: function failed: > SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, > unsupported format." for each one.
Hi, can you send the output of ls -al /etc/pki/nssdb and certutil -L -d /etc/pki/nssdb -h all bye, Sumit > > The confirugation in sssd is still not changed and no other step is executed > due to this error. I think it is important to solve this problem first, and > that this one is not related to the sssd configuration and option > certificate_verification in the config file. > Can you propose me a solution for this? > > > BR, > Hristina > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org