sipazzo wrote: > Thanks Rob, I apologize that error was probably not helpful. This is > what I see when running install in debug mode: > > Verifying that ipa2-corp.networkfleet.com (realm EXAMPLE.COM) is an IPA > server > Init LDAP connection with: ldap://ipa2-corp.networkfleet.com:389 > LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is > not recognized. > Verifying that ipa1-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA server > Init LDAP connection with: ldap://ipa1-xo.networkfleet.com:389 > LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is > not recognized. > Verifying that ipa1-io.networkfleet.com (realm EXAMPLE.COM) is an IPA server > Init LDAP connection with: ldap://ipa1-io.networkfleet.com:389 > LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is > not recognized. > Verifying that ipa2-io.networkfleet.com (realm EXAMPLE.COM) is an IPA server > Init LDAP connection with: ldap://ipa2-io.networkfleet.com:389 > LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is > not recognized. > Verifying that ipa2-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA server > Init LDAP connection with: ldap://ipa2-xo.networkfleet.com:389 > LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer is > not recognized. > > The certificates are very confusing to me. I don't understand how things > are working when we have a set of GoDaddy certs in > slapd-NETWORKFLEET-COM and a set of the Dogtag certs in slapd-PKI-CA. > The cert in /usr/share/ipa/html/ca.crt looks like the original one > issued by the Dogtag cert system and matches the ones on the clients. > Not to further confuse things but the original master server that signed > all these certs was taken offline months ago due to some issues it was > having. I do still have access to it if necessary. > > As far as why the godaddy certs were swapped out for the Dogtag certs it > was originally for something as simple as the untrusted certificate > dialogue when accessing the ipa gui. I did not swap out the certs so am > unsure of exactly what happened. There is no real need to use the > GoDaddy certs as far as I am concerned. I just want the best solution to > the issues I am seeing as I am in kind of a bind with the GoDaddy cert > being revoked and needing to be replaced and the master Dogtag > certificate server offline. We have a mixed environment with Rhel 5, 6 > and Solaris clients so are not using sssd in all cases. > > I know this is asking a lot but appreciate any help you can give.
What is the current state of things? Does your IPA Apache server work? Is 389-ds up and running? Do you have a working IPA CA? Does ipa cert-show 1 work? If the answer is yes to all then we should be able to generate new certs for all the services. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
