[Freeipa-users] restored replica ssl issue
Les Stott
Less at imagine-sw.com
Tue Nov 11 00:15:50 UTC 2014
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com]
> Sent: Monday, 10 November 2014 10:50 PM
> To: Les Stott; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] restored replica ssl issue
>
> On 11/10/2014 08:34 AM, Les Stott wrote:
> > Hi all,
> >
> > I have a standard freeipa environment under rhel6.
> >
> > One of my replica servers, lets call it "serverB" had issues and I eventually
> rebuilt it.
> >
> > I rebuilt and restored data, but something wasn't right. Replication wasn't
> working. I had tried to re-initialize replication but it didn't help.
> >
> > The last thing I did was to ....
> >
> > On serverB
> > ipa-server-install --uninstall
> > getcert list
> > # remove the cert from being tracked (as per info shown after
> > completion of ipa-server-install --uninstall getcert stop-tracking -i
> > 20131216070540 rm /var/lib/ipa/replica-info-serverB.mydomain.com.gpg
> >
> > On server (the master)
> > ipa host-del serverB.mydomain.com.gpg
> > ipa-replica-manage del serverB.mydomain.com.gpg --force
>
> You do not have to run host-del, "ipa-replica-manage del" should take care of
> all records, AFAIK.
>
> > cd /var/lib/ipa
> > rm replica-info- serverB.mydomain.com.gpg
> >
> > This all appeared fine, and seemingly removes serverB completely. So,
> > I then set it back up as a replica in the normal way
>
> I am not sure I follow. What did you do exactly ("set it back up as a replica")?
> Did you simply reinstall replica with ipa-replica-install or did you do some
> other step?
Yes, this is what I did.
>
> > ,and this worked well. Replication is working and all looks good except for
> the FreeIPA Web interface.
> >
> > When I try to browse to https://serverB.mydomain.com/ipa/ui/ I get
> "unknown Error" in a popup box.
> >
> > In the apache error log I see....
> > [Mon Nov 10 02:08:37 2014] [error] SSL Library Error: -12195 Peer does
> > not recognize and trust the CA that issued your certificate
> >
> > I am not sure what "Peer" references - serverB locally?
>
> Peer should be the machine where you run the browser. You can check the
> Server-Cert in /etc/httpd/alias/ database to see what changed.
>
Thanks for clarifying that about the peer.
Turns out that it was just a saved cert in the browser. Once I removed the saved cert in my browser I could connect and add the new certificate into the browser.
Nothing server-side was wrong.
Thanks Martin.
Regards,
Les
More information about the Freeipa-users
mailing list