[Freeipa-users] CA cert issues
Orion Poplawski
orion at cora.nwra.com
Wed Jan 16 23:28:20 UTC 2013
I've installed ipa 2.2 on EL6. I initially simply did an ipa-server-install.
Then I changed the cert used via ipa-server-certinstall to use a wildcard
SSL cert issued by Comodo. This has led to a lot of grief and needing to
install the Comodo CA chain into lots of SSL dbs.
Now I'm looking at replicating the server with:
ipa-replica-prepare ipapub.cora.nwra.com
--dirsrv_pkcs12=STAR_cora_nwra_com.p12 --dirsrv_pin=xxxxx
--http_pkcs12=STAR_cora_nwra_com.p12 --http_pin=xxxxxx
But I get:
Preparing replica for ipapub.cora.nwra.com from ipa.cora.nwra.com
Copying SSL certificate for the Directory Server from STAR_cora_nwra_com.p12
Creating SSL certificate for the dogtag Directory Server
ipa: ERROR: cert validation failed for "CN=ipa.cora.nwra.com,O=NWRA.COM"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
trusted by the user.)
preparation of replica failed: cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.
cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.
File "/usr/sbin/ipa-replica-prepare", line 459, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 353, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dogtagcert",
replica_fqdn, subject_base)
File "/usr/sbin/ipa-replica-prepare", line 143, in export_certdb
raise e
Any suggestions?
I don't really understand how the dogtag ca fits in with this scenario.
Should I just get rid of it? Can I?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 http://www.nwra.com
More information about the Freeipa-users
mailing list