[Freeipa-users] can't register new clients
Rob Crittenden
rcritten at redhat.com
Fri Dec 5 22:10:53 UTC 2014
Megan . wrote:
> Sorry for being unclear. It still fails. Same error.
Hmm, strange. Try being explicit about sql:
# certutil -L -d sql:/etc/pki/nssdb
And if there is a CA cert there, delete it.
rob
>
> On Dec 5, 2014 4:39 PM, "Rob Crittenden" <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Megan . wrote:
> > Thanks.
> >
> > I did have an issue last week where i tried to do the client install
> > and it failed because of a firewall issue. Networks has it opened
> > now. I deleted ca.crt before trying again. There doesn't seem to be
> > a certificate in /etc/pki/nssdb for it.
> >
> >
> >
> > [root at data2-uat ipa]# certutil -L -d /etc/pki/nssdb
> >
> >
> > Certificate Nickname Trust
> Attributes
> >
> >
> SSL,S/MIME,JAR/XPI
> >
> >
> > [root at data2-uat ipa]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb
> >
> > certutil: could not find certificate named "IPA CA":
> > SEC_ERROR_BAD_DATABASE: security library: bad database.
> >
> > [root at data2-uat ipa]# ls
> >
> > [root at data2-uat ipa]# pwd
> >
> > /etc/ipa
> >
> > [root at data2-uat ipa]# ls -al
> >
> > total 16
> >
> > drwxr-xr-x. 2 root root 4096 Dec 5 21:16 .
> >
> > drwxr-xr-x. 82 root root 12288 Dec 5 21:16 ..
> >
> > [root at data2-uat ipa]#
>
> So trying to install the client again fails or succeeds now?
>
> rob
>
> >
> > On Fri, Dec 5, 2014 at 4:03 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
> >> Rob Crittenden wrote:
> >>> Megan . wrote:
> >>>> Good Day!
> >>>>
> >>>> I am getting an error when i register new clients.
> >>>>
> >>>> libcurl failed to execute the HTTP POST transaction. SSL
> connect error
> >>>>
> >>>> I can't find anything useful not the internet about the error. Can
> >>>> someone help me troubleshoot?
> >>>>
> >>>> CentOS 6.6 x64
> >>>> ipa-client-3.0.0-42.el6.centos.x86_64
> >>>> ipa-server-3.0.0-42.el6.centos.x86_64
> >>>> curl-7.19.7-40.el6_6.1.x86_64
> >>>
> >>> Do you have NSS_DEFAULT_DB_TYPE set to sql? I don't know that
> we've done
> >>> any testing on the client with this set.
> >>
> >> Never mind, that's not it. The problem is:
> >>
> >> * NSS error -8054
> >>
> >> Which is SEC_ERROR_REUSED_ISSUER_AND_SERIAL
> >>
> >> So I'd do this:
> >>
> >> # rm /etc/ipa/ca.crt
> >>
> >> You may also want to ensure that the IPA CA certificate isn't in
> >> /etc/pki/nssdb:
> >>
> >> # certutil -L -d /etc/pki/nssdb
> >>
> >> And then perhaps
> >>
> >> # certutil -D -n 'IPA CA' -d /etc/pki/nssdb
> >>
> >> rob
> >>
>
More information about the Freeipa-users
mailing list