Hi: Which location i should renew cert? Http/alias Etc/dirsrv/slapd* Enough? <div class="gmail_quote">2016年5月24日下午10:01 於 "Rob Crittenden" <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> 寫道： <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> hi all: Thx ad title ipa : ERROR cert validation failed for "CN=<a href="http://server.abc.com" rel="noreferrer" target="_blank">server.abc.com</a> <<a href="http://server.abc.com" rel="noreferrer" target="_blank">http://server.abc.com</a>>,O=WISER <a href="http://S.COM" rel="noreferrer" target="_blank">S.COM</a> <<a href="http://S.COM" rel="noreferrer" target="_blank">http://S.COM</a>>" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) preparation of replica failed: cannot connect to '<a href="https://server.ABC.com:944" rel="noreferrer" target="_blank">https://server.ABC.com:944</a> 4/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi ficate has expired. cannot connect to '<a href="https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie" rel="noreferrer" target="_blank">https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie</a> nt': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. </blockquote> The root of all your problems is that your certificates are expired. Fixing this should be your priority. This is probably going to involve going back in time to when the certificates are still valid, restarting IPA, restarting certmonger and waiting for things to properly renew. It can take some time as the certificates don't all renew at once. I suspect that once renewed and returned to current time the rest of your problems will, for the most part, go away. rob </blockquote></div>