[Freeipa-users] Fw: Need to replace cert for ipa servers
sipazzo
sipazzo at yahoo.com
Thu Mar 12 18:54:59 UTC 2015
I do have other CAs (just not the master but it is available offline if needed)
Directory server is runningThe apache web server is running and I can get to the guiipa cert-show 1 works
Are the TLS errors due to the mismatch in certs between slapd-PKI-CA and slapd-NETWORKFLEET-COM?
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Rob Crittenden
Sent: Wednesday, March 11, 2015 7:20 PM
To: sipazzo; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Need to replace cert for ipa servers
sipazzo wrote:
> Thanks Rob, I apologize that error was probably not helpful. This is
> what I see when running install in debug mode:
>
> Verifying that ipa2-corp.networkfleet.com (realm EXAMPLE.COM) is an
> IPA server Init LDAP connection with:
> ldap://ipa2-corp.networkfleet.com:389
> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer
> is not recognized.
> Verifying that ipa1-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA
> server Init LDAP connection with: ldap://ipa1-xo.networkfleet.com:389
> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer
> is not recognized.
> Verifying that ipa1-io.networkfleet.com (realm EXAMPLE.COM) is an IPA
> server Init LDAP connection with: ldap://ipa1-io.networkfleet.com:389
> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer
> is not recognized.
> Verifying that ipa2-io.networkfleet.com (realm EXAMPLE.COM) is an IPA
> server Init LDAP connection with: ldap://ipa2-io.networkfleet.com:389
> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer
> is not recognized.
> Verifying that ipa2-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA
> server Init LDAP connection with: ldap://ipa2-xo.networkfleet.com:389
> LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer
> is not recognized.
>
> The certificates are very confusing to me. I don't understand how
> things are working when we have a set of GoDaddy certs in
> slapd-NETWORKFLEET-COM and a set of the Dogtag certs in slapd-PKI-CA.
> The cert in /usr/share/ipa/html/ca.crt looks like the original one
> issued by the Dogtag cert system and matches the ones on the clients.
> Not to further confuse things but the original master server that
> signed all these certs was taken offline months ago due to some issues
> it was having. I do still have access to it if necessary.
>
> As far as why the godaddy certs were swapped out for the Dogtag certs
> it was originally for something as simple as the untrusted certificate
> dialogue when accessing the ipa gui. I did not swap out the certs so
> am unsure of exactly what happened. There is no real need to use the
> GoDaddy certs as far as I am concerned. I just want the best solution
> to the issues I am seeing as I am in kind of a bind with the GoDaddy
> cert being revoked and needing to be replaced and the master Dogtag
> certificate server offline. We have a mixed environment with Rhel 5, 6
> and Solaris clients so are not using sssd in all cases.
>
> I know this is asking a lot but appreciate any help you can give.
What is the current state of things? Does your IPA Apache server work?
Is 389-ds up and running? Do you have a working IPA CA?
Does ipa cert-show 1 work?
If the answer is yes to all then we should be able to generate new certs for all the services.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150312/52619555/attachment.htm>
More information about the Freeipa-users
mailing list