[email protected] wrote: > I think I already input all ca cert and server cert
man ipa-replica-prepare rob > > > certutil -d /etc/dirsrv/slapd-PKI-IPA/ -L > Trust Attributes > > SSL,S/MIME,JAR/XPI > *.wisers.com <http://wisers.com> < it is > the server wild card cert already > EXT-CA CT,C,C <is > the combo cert CA > ABC.COM <http://ABC.COM> IPA CA > CT,,C > Server-Cert u,u,u > > > When I make replica it comes out error form master server > central.ABC.com <http://central.ABC.com> ..any I missing? > > Creating SSL certificate for the dogtag Directory Server > ipa : ERROR cert validation failed for "CN=central.ABC > ROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) > preparation of replica failed: cannot connect to > 'https://central.ABC9444/ca/ee/ca/profileSubmitSSLClient': > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. > cannot connect to > 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient': > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. > File "/usr/sbin/ipa-replica-prepare", line 490, in <module> > > > > > > 2017-03-07 21:51 GMT+08:00 Rob Crittenden <[email protected] > <mailto:[email protected]>>: > > [email protected] <mailto:[email protected]> wrote: > > same as as replica gpg making.////...Found this cert 2015 expired > > only,,? but I follow manual here: > > > > > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1 > > <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1> > > > > <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1 > > <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1>> > > If you are using 3rd party certs elsewhere then why not provide 3rd > party certs for this replica as well? > > It seems like you aren't using the IPA-provided CA at all given its > certs expired in 2015. > > rob > > > > > It imported as EXT-CA as Alias rather than sever cert by default...Is > > there anywhere pointing wrong ? > > > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > *.ABC.com ,, > > EXT-CA CT,C,C > > ABC.COM <http://ABC.COM> <http://ABC.COM> IPA > > CA CT,,C > > Server-Cert u,u,u > > > > > > Request ID '20160516111257': > > status: CA_UNREACHABLE > > ca-error: Server at https://central.ABC.com/ipa/xml > <https://central.ABC.com/ipa/xml> failed > > request, will retry: 907 (RPC failed at server. cannot connect to > > 'https://central.ABC.com:443/ca/agent/ca/displayBySerial > <https://central.ABC.com:443/ca/agent/ca/displayBySerial>': > > (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not > recognized.). > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=ABC.COM > <http://ABC.COM> <http://ABC.COM> > > subject: CN=central.ABC.com <http://central.ABC.com> > <http://central.ABC.com>,O=ABC.COM <http://ABC.COM> > > <http://ABC.COM> > > expires: 2015-11-23 08:42:52 UTC > > key usage: > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > PKI-IPA > > track: yes > > auto-renew: yes > > > > 2017-03-07 19:24 GMT+08:00 Barry <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>>: > > > > Same as before I already follow part < 4.1 as below: > > > > > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1 > > <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1> > > > <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1 > > <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1>> > > comdo cert is new cert / > > It seem I m nearly right ....HTTP server side can read trust cert > > BUT seem dirsrv still lacking of a ca cert to verify it ./.. > > but ca.crt changed to new already and imported > > > > ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert: > > CERT_VerifyCertificateNow: verify certificate failed for cert > > *.ABC.com - COMODO CA Limited of family > > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error > > -8179 - Peer's Certificate issuer is not recognized.) > > > > > > 2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > Hi, > > > > In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as > > Certificate Authority, and this file may be outdated. Running > > ipa-certupdate may fix your issue. See [1] > > > > If it doesn't, you can start by identifying which certificate > > expired with > > $ sudo getcert list | egrep -e 'expires|Request ID|subject' > > > > HTH, > > Flo > > > > [1] https://pagure.io/freeipa/issue/6375 > <https://pagure.io/freeipa/issue/6375> > > <https://pagure.io/freeipa/issue/6375 > <https://pagure.io/freeipa/issue/6375>> > > > > On 03/07/2017 04:14 AM, [email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> wrote: > > > > gpg > > > > Creating SSL certificate for the Directory Server > > ipa : ERROR cert validation failed for > > "CN=central.ABC.com <http://central.ABC.com> > <http://central.ABC.com> > > <http://central.ABC.com>,O=ABC.COM <http://ABC.COM> > <http://ABC.COM> > > <http://ABC.COM>" > > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has > > expired.) > > preparation of replica failed: cannot connect to > > > 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient > <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient> > <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient > <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient>>': > > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has > expired. > > cannot connect to > > > 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient > <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient> > <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient > <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient>>': > > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has > expired. > > File "/usr/sbin/ipa-replica-prepare", line 490, in > <module> > > main() > > > > File "/usr/sbin/ipa-replica-prepare", line 361, in main > > export_certdb(api.env.realm, ds_dir, dir, > passwd_fname, > > "dscert", > > replica_fqdn, subject_base) > > > > File "/usr/sbin/ipa-replica-prepare", line 150, in > > export_certdb > > raise e > > > > > > > > > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
