On Tue, Mar 24, 2020 at 02:20:17PM -0000, Hristina Marosevic wrote:
Hi,
please try to add them with
certutil -A -n "CA cert nickname" -t CT,C,C -i /path/to/CA_cert_file -d
/etc/pki/nssdb
(please note the additional 'T' for 'trusted CA for client authentication') and check if this makes a difference.
bye, Sumit
Hello,
I got the same error: write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171]]]] [do_verification] (0x0040): Certificate [(null)][givenName=\320\242\320\225\320\241\320\242\320\242\320\236\320\222\320\230\320\247,ST=\320\220\320\241\320\242\320\220\320\235\320\220,L=\320\220\320\241\320\242\320\220\320\235\320\220,C=KZ,serialNumber=IIN123456789012,SN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222,CN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222 \320\242\320\225\320\241\320\242\320\242] not valid [-8179][Peer's Certificate issuer is not recognized.].\n", 310) = 310 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171]]]] [do_work] (0x0400): Certificate is NOT valid.\n", 100) = 100 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171]]]] [main] (0x0040): do_work failed.\n", 87) = 87 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171]]]] [main] (0x0020): p11_child failed!\n", 89) = 89 close(1) = 0 exit_group(1) = ? +++ exited with 1 +++
What I did is: added the CA certs once again, as trusted:
certutil -L -d /etc/pki/nssdb -h all Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
root_KZ CT,C,C intermediate_KZ CT,C,C
and stoppped sssd, emptyed its cache, started sssd, restarted sshd, afterwards.
BR, Hristina M.