On Tue, Mar 17, 2020 at 02:17:06PM -0000, Hristina Marosevic wrote:
about 'certificate_verification = no_verification', there is an issue
which was fixed by
but the fix is not in the build you are using. So better continue with
'certificate_verification = no_ocsp'.
Please add all CA certificates to the NSS database /etc/pki/nssdb with
the help of the certutil command:
certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d
each CA certificate should get an individual nickname. If your
CA_cert_file is in PEM format (with BEGIN CERTIFICATE and END
CERTIFICATE lines) you might need to add a '-a' option as well.
If there are still issues please send the strace output.
I just tried to add the certificates (intermediate and root CA) to the database and I got
the error: "certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
database is in an old, unsupported format." for each one.
The confirugation in sssd is still not changed and no other step is executed due to this
error. I think it is important to solve this problem first, and that this one is not
related to the sssd configuration and option certificate_verification in the config file.
Can you propose me a solution for this?