same as as replica gpg making.////...Found this cert 2015 expired only,,? but I follow manual here:
https://www.freeipa.org/page/Using_3rd_part_certificates_ for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1 It imported as EXT-CA as Alias rather than sever cert by default...Is there anywhere pointing wrong ? Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI *.ABC.com ,, EXT-CA CT,C,C ABC.COM IPA CA CT,,C Server-Cert u,u,u Request ID '20160516111257': status: CA_UNREACHABLE ca-error: Server at https://central.ABC.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to ' https://central.ABC.com:443/ca/agent/ca/displayBySerial': (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=ABC.COM subject: CN=central.ABC.com,O=ABC.COM expires: 2015-11-23 08:42:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes 2017-03-07 19:24 GMT+08:00 Barry <[email protected]>: > Same as before I already follow part < 4.1 as below: > > https://www.freeipa.org/page/Using_3rd_part_certificates_ > for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1 > comdo cert is new cert / > It seem I m nearly right ....HTTP server side can read trust cert > BUT seem dirsrv still lacking of a ca cert to verify it ./.. > but ca.crt changed to new already and imported > > ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com - > COMODO CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape > Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) > > > 2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <[email protected]>: > >> Hi, >> >> In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as >> Certificate Authority, and this file may be outdated. Running >> ipa-certupdate may fix your issue. See [1] >> >> If it doesn't, you can start by identifying which certificate expired with >> $ sudo getcert list | egrep -e 'expires|Request ID|subject' >> >> HTH, >> Flo >> >> [1] https://pagure.io/freeipa/issue/6375 >> >> On 03/07/2017 04:14 AM, [email protected] wrote: >> >>> gpg >>> >>> Creating SSL certificate for the Directory Server >>> ipa : ERROR cert validation failed for "CN=central.ABC.com >>> <http://central.ABC.com>,O=ABC.COM <http://ABC.COM>" >>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) >>> preparation of replica failed: cannot connect to >>> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient': >>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. >>> cannot connect to >>> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient': >>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. >>> File "/usr/sbin/ipa-replica-prepare", line 490, in <module> >>> main() >>> >>> File "/usr/sbin/ipa-replica-prepare", line 361, in main >>> export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", >>> replica_fqdn, subject_base) >>> >>> File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb >>> raise e >>> >>> >>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
