Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1579037
Adding a Root+Intermediate CA certs for the apache frontend as outlined in the "Linux Domain, Identity, Authentication, and Policy Guide, Sections 26.3 and 26.6. # kinit admin # ipa-cacert-manage -n Apache1_Cert -t C,, install /etc/certs/current/Apache_Cert_CA.cer # ipa-cacert-manage -n Apache2_Cert -t C,, install /etc/certs/current/Apache_Cert_Trust_CA.cer # ipa-certupdate # cat /etc/certs/current/Apache_Cert_CA.cer /etc/certs/current/Apache_Cert_Trust_CA.cer /etc/certs/current/cacert.crt > /etc/certs/current/cert_chain.pem # ipa-server-certinstall --http /etc/certs/current/server.key /etc/certs/current/cert_chain.pem At this point, the NSSNickname in /etc/httpd/conf.d/nss.conf was set to: 'CN=cacert.example.com,OU=EXAMPLE,L=RALEIGH,ST=NC,C=US' Please note the single quotes above. I ran the following commands to set the server up for SmartCard auth and import the CAs: # kinit admin # ipa-advise config-server-for-smart-card-auth > /root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh # chmod 755 /root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh # /root/IPA_Stuff/SmartCard_CA/server_smart_card_script.sh /root/IPA_Stuff/SmartCard_CA/Root_CA_3.cer \ /root/IPA_Stuff/SmartCard_CA/Ent_Trust_CA.cer /root/IPA_Stuff/SmartCard_CA/example.cer This resulted in the following error: certutil: could not find certificate named "'CN=cacert.example.com,OU=EXAMPLE,L=RALEIGH,ST=NC,C=US'": SEC_ERROR_BAD_DATABASE: security library: bad database. Can not set trust flags on HTTP certificate Upon further investigation, I found the certificate name wrapped in single quotes in the nss.conf file, removed the single quotes and re-ran the server_smart_card_script.sh. This time it completed successfully without issues, and SmartCard authentication was verified to work correctly.
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1579037
Metadata Update from @frenaud: - Issue assigned to frenaud
Note: this issue does not happen any more on ipa-4-7 because this version is using mod_ssl instead of mod_nss. The fix needs to be made only on ipa-4-6 branch (neither master nor ipa-4-7 requires the fix).
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2376
ipa-4-6:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.