> -----Original Message----- > From: Martin Kosek [mailto:[email protected]] > Sent: Monday, 10 November 2014 10:50 PM > To: Les Stott; [email protected] > Subject: Re: [Freeipa-users] restored replica ssl issue > > On 11/10/2014 08:34 AM, Les Stott wrote: > > Hi all, > > > > I have a standard freeipa environment under rhel6. > > > > One of my replica servers, lets call it "serverB" had issues and I > > eventually > rebuilt it. > > > > I rebuilt and restored data, but something wasn't right. Replication wasn't > working. I had tried to re-initialize replication but it didn't help. > > > > The last thing I did was to .... > > > > On serverB > > ipa-server-install --uninstall > > getcert list > > # remove the cert from being tracked (as per info shown after > > completion of ipa-server-install --uninstall getcert stop-tracking -i > > 20131216070540 rm /var/lib/ipa/replica-info-serverB.mydomain.com.gpg > > > > On server (the master) > > ipa host-del serverB.mydomain.com.gpg > > ipa-replica-manage del serverB.mydomain.com.gpg --force > > You do not have to run host-del, "ipa-replica-manage del" should take care of > all records, AFAIK. > > > cd /var/lib/ipa > > rm replica-info- serverB.mydomain.com.gpg > > > > This all appeared fine, and seemingly removes serverB completely. So, > > I then set it back up as a replica in the normal way > > I am not sure I follow. What did you do exactly ("set it back up as a > replica")? > Did you simply reinstall replica with ipa-replica-install or did you do some > other step?
Yes, this is what I did. > > > ,and this worked well. Replication is working and all looks good except for > the FreeIPA Web interface. > > > > When I try to browse to https://serverB.mydomain.com/ipa/ui/ I get > "unknown Error" in a popup box. > > > > In the apache error log I see.... > > [Mon Nov 10 02:08:37 2014] [error] SSL Library Error: -12195 Peer does > > not recognize and trust the CA that issued your certificate > > > > I am not sure what "Peer" references - serverB locally? > > Peer should be the machine where you run the browser. You can check the > Server-Cert in /etc/httpd/alias/ database to see what changed. > Thanks for clarifying that about the peer. Turns out that it was just a saved cert in the browser. Once I removed the saved cert in my browser I could connect and add the new certificate into the browser. Nothing server-side was wrong. Thanks Martin. Regards, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
