[Freeipa-users] Make Gpg replica fail , where cert store I should update new ?
barrykfl at gmail.com
barrykfl at gmail.com
Tue Mar 7 11:37:26 UTC 2017
same as as replica gpg making.////...Found this cert 2015 expired only,,?
but I follow manual here:
https://www.freeipa.org/page/Using_3rd_part_certificates_
for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
It imported as EXT-CA as Alias rather than sever cert by default...Is there
anywhere pointing wrong ?
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
*.ABC.com ,,
EXT-CA CT,C,C
ABC.COM IPA CA CT,,C
Server-Cert u,u,u
Request ID '20160516111257':
status: CA_UNREACHABLE
ca-error: Server at https://central.ABC.com/ipa/xml failed request,
will retry: 907 (RPC failed at server. cannot connect to '
https://central.ABC.com:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.COM
subject: CN=central.ABC.com,O=ABC.COM
expires: 2015-11-23 08:42:52 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
2017-03-07 19:24 GMT+08:00 Barry <kliu at alumni.warwick.ac.uk>:
> Same as before I already follow part < 4.1 as below:
>
> https://www.freeipa.org/page/Using_3rd_part_certificates_
> for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
> comdo cert is new cert /
> It seem I m nearly right ....HTTP server side can read trust cert
> BUT seem dirsrv still lacking of a ca cert to verify it ./..
> but ca.crt changed to new already and imported
>
> ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com -
> COMODO CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape
> Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.)
>
>
> 2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <flo at redhat.com>:
>
>> Hi,
>>
>> In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as
>> Certificate Authority, and this file may be outdated. Running
>> ipa-certupdate may fix your issue. See [1]
>>
>> If it doesn't, you can start by identifying which certificate expired with
>> $ sudo getcert list | egrep -e 'expires|Request ID|subject'
>>
>> HTH,
>> Flo
>>
>> [1] https://pagure.io/freeipa/issue/6375
>>
>> On 03/07/2017 04:14 AM, barrykfl at gmail.com wrote:
>>
>>> gpg
>>>
>>> Creating SSL certificate for the Directory Server
>>> ipa : ERROR cert validation failed for "CN=central.ABC.com
>>> <http://central.ABC.com>,O=ABC.COM <http://ABC.COM>"
>>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>>> preparation of replica failed: cannot connect to
>>> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
>>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>> cannot connect to
>>> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
>>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>> File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
>>> main()
>>>
>>> File "/usr/sbin/ipa-replica-prepare", line 361, in main
>>> export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
>>> replica_fqdn, subject_base)
>>>
>>> File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
>>> raise e
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170307/aa55c8a4/attachment.htm>
More information about the Freeipa-users
mailing list