On Tue, Mar 17, 2020 at 02:17:06PM -0000, Hristina Marosevic wrote:
Hi,
about 'certificate_verification = no_verification', there is an issue which was fixed by https://pagure.io/SSSD/sssd/c/31ebf912d6426aea446b2bdae919d4e33b0c95be but the fix is not in the build you are using. So better continue with 'certificate_verification = no_ocsp'.
Please add all CA certificates to the NSS database /etc/pki/nssdb with the help of the certutil command:
certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d
/etc/pki/nssdb
each CA certificate should get an individual nickname. If your CA_cert_file is in PEM format (with BEGIN CERTIFICATE and END CERTIFICATE lines) you might need to add a '-a' option as well.
If there are still issues please send the strace output.
HTH
bye, Sumit
Hello,
I just tried to add the certificates (intermediate and root CA) to the database and I got the error: "certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format." for each one.
The confirugation in sssd is still not changed and no other step is executed due to this error. I think it is important to solve this problem first, and that this one is not related to the sssd configuration and option certificate_verification in the config file. Can you propose me a solution for this?
BR, Hristina