Hi, I'm trying to add 3rd party certs for the webgui and ldap as documented here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
I'm able to add the CA cert. Then add the chained cert and key via ipa-server-certinstall tool. However when I try to restart httpd, it fails and I get the following error in the logs. [Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init: ( ipa-test.example.com:443) You configured HTTP(80) on the standard HTTPS(443) port! [Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598] NSSSessionCacheTimeout is deprecated. Ignoring. [Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error: -8102 Certificate key usage inadequate for attempted operation. [Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. I've looked into the key, but everything seems to work as expected. Has anyone seen this before? Environment: IPA VERSION: 4.2.0, API_VERSION: 2.156 CentOS 7.2 Thanks, --Josh
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
