Hi Rob, Yes it does, I understood that there was some reason the duplicate might exist, but I wonder more why does the RootCA show up when I removed it and comes back after adding the two intermediates ?
Thanks Matt 2017-02-20 15:20 GMT+01:00 Rob Crittenden <[email protected]>: > Matt . wrote: >> Hi, >> >> The install seems to be OK this way, but I'm still confused about the >> duplicated and the RootCA. > > What does this show? > > #3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA > > I'm guessing it will show two certs with different serial numbers, which > means this is a-ok. > > rob > >> >> 2017-02-18 14:47 GMT+01:00 Matt . <[email protected]>: >>> Hi Florance, >>> >>> >>> I'm actually stil investigating this as the following occurs. >>> >>> I have removed all unneeded certs and installed the 2 intermediates >>> for Comodo and did an ipa-certupdate which results in this: >>> >>> #certutil -L -d /etc/httpd/alias >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA >>> Limited,L=Salford,ST=Greater Manchester,C=GB C,, >>> AddTrustExternalCARoot C,, >>> ipaCert u,u,u >>> COMODORSAAddTrustCA C,, >>> COMODORSAAddTrustCA C,, >>> IPA.MYDOMAIN.TLD IPA CA CT,C,C >>> >>> >>> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove >>> both and start over they are duplicated again. Also the >>> AddTrustExternalCARoot comes back again even when this was not >>> installed anymore as it's not needed. >>> >>> I'm able to install my cert after the update: >>> >>> >>> #certutil -L -d /etc/httpd/alias >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA >>> Limited,L=Salford,ST=Greater Manchester,C=GB C,, >>> AddTrustExternalCARoot C,, >>> ipaCert u,u,u >>> COMODORSAAddTrustCA C,, >>> COMODORSAAddTrustCA C,, >>> IPA.MYDOMAIN.TLD IPA CA CT,C,C >>> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated >>> u,u,u >>> >>> >>> >>> Now this works great for the WebGui which uses the right Certificate >>> for the ssl connection but ldaps on port 636 seems to use: >>> >>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA >>> Limited,L=Salford,ST=Greater Manchester,C=GB >>> >>> >>> Do you have any clue about this ? >>> >>> I'm also curious about what IPA syncs between all hosts, it seems to >>> be only the Intermediate certs and not the install domains >>> certificate, this needs to be installed manually after a local >>> #ipa-certupdate on each node ? >>> >>> I hope you can clearify this out. >>> >>> >>> Thanks, >>> >>> Matt >>> >>> >>> 2017-02-17 0:15 GMT+01:00 Matt . <[email protected]>: >>>> Hi Flo, >>>> >>>> Sure I can, I will look through the steps closely tomorrow and will >>>> create some lineup here. >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>>> On 02/16/2017 09:55 PM, Matt . wrote: >>>>>> >>>>>> Hi Flo! (if I may call you like that, saves some characters in typing >>>>>> but with this extra line it doesn't anymore :)) >>>>>> >>>>>> This works perfectly, thank you very much. >>>>>> >>>>> Hi Matt, >>>>> >>>>> glad I could help. What did you do differently that could explain the >>>>> failure, though? Maybe the cert installation needs some hardening. >>>>> >>>>> Flo. >>>>> >>>>>> No questions further actually :) >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Matt >>>>>> >>>>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <[email protected]>: >>>>>>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
