[Freeipa-users] Certificate system unavailable
Rob Crittenden
rcritten at redhat.com
Fri Feb 14 14:29:22 UTC 2014
Sigbjorn Lie wrote:
>
>
> It would seem like we're still encountering some issues. The date has now passed for when the old
> certificate expired, and the "ipa" cli command no longer works. The webui is still working just
> fine.
>
> These are the errors I receive.
>
> $ ipa user-find
> ipa: ERROR: cert validation failed for "CN=serveripa03.example.com,O=EXAMPLE.COM"
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the
> user.)
> ipa: ERROR: cert validation failed for "CN=serveripa01.example.com,O=EXAMPLE.COM"
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the
> user.)
> ipa: ERROR: cert validation failed for "CN=serveripa02.example.com,O=EXAMPLE.COM"
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the
> user.)
> ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa',
> localedir=None): https://serveripa03.example.com/ipa/xml, https://serveripa01.example.com/ipa/xml,
> https://serveripa02.example.com/ipa/xml
This seems more like a client-side issue. Can you confirm that
/etc/ipa/ca.crt is correct and that the NSS database in /etc/pki/nssdb
contains the CA?
certutil -L -d /etc/pki/nssdb -n 'IPA CA'
rob
More information about the Freeipa-users
mailing list