It's kind of a pain to use ipa-getcert with mod_nss because it isn't automatically adding the IPA CA certificate as a trusted CA, which means you can't use NSSEnforceValidCerts.
ipa-getcert should at least offer an option to install the IPA CA cert as a trusted CA when manipulating nssdbs.
Assuming the host is enrolling you can do:
Opened an RFE against certmonger, https://bugzilla.redhat.com/show_bug.cgi?id=759545
Shouldn't this me a part of the ipa-client installation to execute the command above after fetching IPA cert during the installation?
ipa-client-install adds it to /etc/pki/nssdb
In this case he is requesting a new certificate for a different service, HTTP, which uses a separate NSS database.
Changing 3.2 priority
Metadata Update from @jcape: - Issue assigned to rcritten - Issue set to the milestone: Future Releases
This was fixed in certmonger. Add -a <dbdir> to install the IPA chain into the database.
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.