[Freeipa-users] Make Gpg replica fail , where cert store I should update new ?

Barry kliu at alumni.warwick.ac.uk
Tue Mar 7 11:24:33 UTC 2017 

Same as before I already follow  part < 4.1 as below:

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1

comdo cert is new cert /
It seem I m nearly right ....HTTP server side can read trust cert
BUT seem dirsrv still lacking of a ca cert to verify it ./..
but ca.crt changed to new already and imported

ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com -
COMODO CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.)


2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <flo at redhat.com>:

> Hi,
>
> In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as Certificate
> Authority, and this file may be outdated. Running ipa-certupdate may fix
> your issue. See [1]
>
> If it doesn't, you can start by identifying which certificate expired with
> $ sudo getcert list | egrep -e 'expires|Request ID|subject'
>
> HTH,
> Flo
>
> [1] https://pagure.io/freeipa/issue/6375
>
> On 03/07/2017 04:14 AM, barrykfl at gmail.com wrote:
>
>> gpg
>>
>> Creating SSL certificate for the Directory Server
>> ipa         : ERROR    cert validation failed for "CN=central.ABC.com
>> <http://central.ABC.com>,O=ABC.COM <http://ABC.COM>"
>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>> preparation of replica failed: cannot connect to
>> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>> cannot connect to
>> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>   File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
>>     main()
>>
>>   File "/usr/sbin/ipa-replica-prepare", line 361, in main
>>     export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
>> replica_fqdn, subject_base)
>>
>>   File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
>>     raise e
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170307/f52bfd1d/attachment.htm>

More information about the Freeipa-users mailing list