<div dir="ltr"><div>externaly signed CA - Godaddy Exppired.</div><div><br></div><div>Already add new to db /etc/https/alias / -L  and config nickname map in /etc/http/config.d/nss.conf</div><div>Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to?</div><div>Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname map in dse.ldif</div><div><br></div><div>Start stop IPA no cert issue . but server ipa prepare fail.</div><div><br></div><div>IPA replica still say cert expiry , any where I missed ?</div><div><br></div><div><br></div><div>Thanks</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-05-25 19:30 GMT+08:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF"><span>
    <p><br>
    </p>
    <br>
    <div>On 25.05.2016 04:36, Barry wrote:<br>
    </div>
    <blockquote type="cite">
      <p dir="ltr">Hi:</p>
      <p dir="ltr">Which location i should renew cert?<br>
        Http/alias<br>
        Etc/dirsrv/slapd*</p>
      <p dir="ltr">Enough?</p>
    </blockquote>
    <br></span>
    We need to know if you have IPA configured with<br>
    * externaly signed CA<br>
    * or selfsigned CA<br>
    * or if you have any other certificates from different CAs<br>
    <br>
    If I remember correctly you wrote in one email that you have a
    certificate from godaddy, which certificate? <br>
    <br>
    In case you have self signed CA certificate you should follow:
    <a href="http://www.freeipa.org/page/Howto/CA_Certificate_Renewal" target="_blank">http://www.freeipa.org/page/Howto/CA_Certificate_Renewal</a><span class="HOEnZb"><font color="#888888"><br>
    <br>
    Martin</font></span><span><br>
    <blockquote type="cite">
      <div class="gmail_quote">2016年5月24日 下午10:01 於 "Rob Crittenden"
        <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>
        寫道：<br type="attribution">
        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><a href="mailto:barrykfl@gmail.com" target="_blank"><a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a> wrote:<br>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
            hi all:<br>
            <br>
            <br>
            Thx ad title<br>
            <br>
            ipa         : ERROR    cert validation failed for "CN=<a href="http://server.abc.com" target="_blank" rel="noreferrer">server.abc.com</a><br>
            <<a href="http://server.abc.com" target="_blank" rel="noreferrer">http://server.abc.com</a>>,O=WISER
            <a href="http://S.COM" target="_blank" rel="noreferrer">S.COM</a> <<a href="http://S.COM" target="_blank" rel="noreferrer"><a href="http://S.COM" target="_blank">http://S.COM</a>>"<br>
            ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has
            expired.)<br>
            preparation of replica failed: cannot connect to<br>
            '<a href="https://server.ABC.com:944" target="_blank" rel="noreferrer">https://server.ABC.com:944</a> 
                    4/ca/ee/ca/profileSubmitSSLClient':<br>
            (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi          ficate
            has expired.<br>
            cannot connect to<br>
            '<a href="https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie" target="_blank" rel="noreferrer">https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie</a> 
                    nt':<br>
            (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has
            expired.<br>
          </a></blockquote>
          <br>
          The root of all your problems is that your certificates are
          expired. Fixing this should be your priority. This is probably
          going to involve going back in time to when the certificates
          are still valid, restarting IPA, restarting certmonger and
          waiting for things to properly renew. It can take some time as
          the certificates don't all renew at once.<br>
          <br>
          I suspect that once renewed and returned to current time the
          rest of your problems will, for the most part, go away.<br>
          <br>
          rob<br>
        </a></blockquote>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
    </blockquote>
    <br>
  </span></div>

<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank" rel="noreferrer">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank" rel="noreferrer">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>