[Freeipa-users] Error deleting IPA host: SSL peer cannot verify your certificate
Florence Blanc-Renaud
flo at redhat.com
Wed Apr 5 06:35:38 UTC 2017
On 04/05/2017 01:17 AM, Chris Herdt wrote:
> Although I had previously been using a self-signed certificate, I
> recently started using a cert signed by InCommon CA on my FreeIPA
> master (still on IPA 3.0.0 at this time).
>
> I added the certificate and intermediate certificates to
> /etc/ssl/certs and the certificate database in
> /etc/dirsrc/slapd-EXAMPLE-COM. /etc/httpd/conf.d/nss.conf is pointing
> to the new certificate for NSSNickname.
>
> I can log into the web UI, but when I attempt to delete a host I get
> the following error:
>
> Operations Error
> Some entries were not deleted
> Show details
>
> Under "Show details":
> cannot connect to
> 'https://freeipa.example.com:443/ca/agent/ca/displayBySerial':
> (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
>
> Likewise, if I attempt to delete a host using the CLI I get an error message:
>
> # ipa host-del host-01.example.com
> ipa: ERROR: cert validation failed for
> "CN=freeipa.example.com,OU=Example Unit,O=Example Org,L=Example
> City,ST=MN,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
> issuer has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
> domain='ipa', localedir=None): https://freeipa.example.com/ipa/xml
>
> If I enable the verbose flag -vv, I see that it is making an HTTP POST
> request to https://freeipa.example.com/ipa/xml.
>
> It looks like Firefox on my local client trusts the certificate, but
> that the server itself does not trust its own certificate when
> connecting to itself. Can anyone advise on how I can address this
> issue?
>
Hi,
the certificate and intermediate certificates need to be added to all
the NSS databases used by FreeIPA. You can find instructions in the page
"Using 3rd part certificates for HTTP/LDAP > Procedure in IPA < 4.1" [1].
HTH,
Flo
[1]
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
More information about the Freeipa-users
mailing list