[Freeipa-users] TLS error on master server / CA issue?

[KodaK]

Hey everyone,

A couple of days ago I started getting the following message:

[jebalicki at slpidml01 ~]$ ipa cert-show 1
ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml
ipa: INFO: Forwarding 'cert_show' to server u'
https://slpidml01.unix.xxx.com/ipa/xml'
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)

I get a similar error in the GUI when looking at hosts.

slpidml01 is my "master" -- the one I initially built.  The other replicas
also replicated the CA.

After some digging (and prompting from Red Hat support) I've found the
following:

[root at slpidml01 ~]# ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com -D
"cn=Directory Manager" -W -b "dc=unix,dc=xxx,dc=com" -x
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8172:Peer's certificate issuer has been
marked as not trusted by the user.

But, interestingly, from another replica:

[jebalicki at slpidml02 ~]$ ldapsearch -ZZ -H ldap://slpidml01.unix.xxx.com -D
"cn=Directory Manager" -W -b "dc=unix,dc=xxx,dc=com" -x
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=unix,dc=xxx,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
...

So, obviously some certificate got hosed up somewhere.  I've been digging
but I haven't found it yet.

Anyone have any ideas?

I have a ticket open with RH support, but I think I somehow got put with
someone with a completely different sleep schedule -- I get replies at 3 in
the morning.  So, I'm asking here because I'm impatient. :)

Thanks,

--Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140228/4e7e7d34/attachment.htm>