[Freeipa-users] Make Gpg replica fail , where cert store I should update new ?
Florence Blanc-Renaud
flo at redhat.com
Tue Mar 7 09:16:59 UTC 2017
Hi,
In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as
Certificate Authority, and this file may be outdated. Running
ipa-certupdate may fix your issue. See [1]
If it doesn't, you can start by identifying which certificate expired with
$ sudo getcert list | egrep -e 'expires|Request ID|subject'
HTH,
Flo
[1] https://pagure.io/freeipa/issue/6375
On 03/07/2017 04:14 AM, barrykfl at gmail.com wrote:
> gpg
>
> Creating SSL certificate for the Directory Server
> ipa : ERROR cert validation failed for "CN=central.ABC.com
> <http://central.ABC.com>,O=ABC.COM <http://ABC.COM>"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
> preparation of replica failed: cannot connect to
> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
> cannot connect to
> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
> File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
> main()
>
> File "/usr/sbin/ipa-replica-prepare", line 361, in main
> export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
> replica_fqdn, subject_base)
>
> File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
> raise e
>
>
>
More information about the Freeipa-users
mailing list