Matt . wrote: > Hi, > > The install seems to be OK this way, but I'm still confused about the > duplicated and the RootCA.
What does this show? #3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA I'm guessing it will show two certs with different serial numbers, which means this is a-ok. rob > > 2017-02-18 14:47 GMT+01:00 Matt . <[email protected]>: >> Hi Florance, >> >> >> I'm actually stil investigating this as the following occurs. >> >> I have removed all unneeded certs and installed the 2 intermediates >> for Comodo and did an ipa-certupdate which results in this: >> >> #certutil -L -d /etc/httpd/alias >> >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA >> Limited,L=Salford,ST=Greater Manchester,C=GB C,, >> AddTrustExternalCARoot C,, >> ipaCert u,u,u >> COMODORSAAddTrustCA C,, >> COMODORSAAddTrustCA C,, >> IPA.MYDOMAIN.TLD IPA CA CT,C,C >> >> >> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove >> both and start over they are duplicated again. Also the >> AddTrustExternalCARoot comes back again even when this was not >> installed anymore as it's not needed. >> >> I'm able to install my cert after the update: >> >> >> #certutil -L -d /etc/httpd/alias >> >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA >> Limited,L=Salford,ST=Greater Manchester,C=GB C,, >> AddTrustExternalCARoot C,, >> ipaCert u,u,u >> COMODORSAAddTrustCA C,, >> COMODORSAAddTrustCA C,, >> IPA.MYDOMAIN.TLD IPA CA CT,C,C >> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated >> u,u,u >> >> >> >> Now this works great for the WebGui which uses the right Certificate >> for the ssl connection but ldaps on port 636 seems to use: >> >> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA >> Limited,L=Salford,ST=Greater Manchester,C=GB >> >> >> Do you have any clue about this ? >> >> I'm also curious about what IPA syncs between all hosts, it seems to >> be only the Intermediate certs and not the install domains >> certificate, this needs to be installed manually after a local >> #ipa-certupdate on each node ? >> >> I hope you can clearify this out. >> >> >> Thanks, >> >> Matt >> >> >> 2017-02-17 0:15 GMT+01:00 Matt . <[email protected]>: >>> Hi Flo, >>> >>> Sure I can, I will look through the steps closely tomorrow and will >>> create some lineup here. >>> >>> Cheers, >>> >>> Matt >>> >>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>> On 02/16/2017 09:55 PM, Matt . wrote: >>>>> >>>>> Hi Flo! (if I may call you like that, saves some characters in typing >>>>> but with this extra line it doesn't anymore :)) >>>>> >>>>> This works perfectly, thank you very much. >>>>> >>>> Hi Matt, >>>> >>>> glad I could help. What did you do differently that could explain the >>>> failure, though? Maybe the cert installation needs some hardening. >>>> >>>> Flo. >>>> >>>>> No questions further actually :) >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>>>> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
