[Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Joseph, Matthew (EXP)
matthew.joseph at lmco.com
Thu Apr 11 10:24:22 UTC 2013
Hey,
Here is the output;
Server-Cert u,u,u
I am using nss-3-13.3-6
I am using the IPA CA.
Matt
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jatin Nansi
Sent: Wednesday, April 10, 2013 9:36 PM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote:
>
> Hey,
>
> I'm still trying to figure out this error but I am getting nothing.
>
> Anyone have any suggestions or ideas on why this is failing?
>
> Matt
>
> *From:*freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph,
> Matthew (EXP)
> *Sent:* Monday, April 08, 2013 12:30 PM
> *To:* Nathan Kinder
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install
> errors
>
> Hey,
>
>
> Yup, the client side says the following;
>
> Op=-1 fd=64 closed - Peer does not recognize and trust the CA that
> issued your certificate.
>
> Matt
>
Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates -
cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert
If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes.
Are you using the IPA CA, or are you managing the CA independently of IPA?
--
Jatin Nansi
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list