[Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate
Martin Kosek
mkosek at redhat.com
Fri Jul 24 07:33:11 UTC 2015
On 07/10/2015 04:36 PM, Natxo Asenjo wrote:
> hi,
>
> earlier today I was reading a post about the new freeipa version on my mobile
> device and got plenty of warnings about an invalid certificate. On a fedora
> laptop no warnings, but this is the problem:
>
> $ curl -LIv https://www.freeipa.org
> * Rebuilt URL to: https://www.freeipa.org/
> * Hostname was NOT found in DNS cache
> * Trying 54.227.25.77...
> * Connected to www.freeipa.org <http://www.freeipa.org> (54.227.25.77) port 443
> (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * Server certificate:
> * subject: CN=www.freeipa.org <http://www.freeipa.org>,O=Red Hat
> Inc.,L=Raleigh,ST=North Carolina,C=US
> * start date: Jul 16 00:00:00 2014 GMT
> * expire date: Jul 19 12:00:00 2016 GMT
> * common name: www.freeipa.org <http://www.freeipa.org>
> * issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com
> <http://www.digicert.com>,O=DigiCert Inc,C=US
> * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
> * Peer's Certificate issuer is not recognized.
> * Closing connection 0
> curl: (60) Peer's Certificate issuer is not recognized.
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> You need to add the intermediate digicert certrificate, it seems.
Hello natxo,
Sorry for the late reply, I just returned from a longer PTO... I checked the
site and finally figured out how to stuff the intermediate certificate to our
OpenShift instance.
The issue now appears to be fixed, please try it and push back if it isn't :-)
Enjoy!
Martin
More information about the Freeipa-users
mailing list