[Freeipa-users] Replica fail to create , all new cert already inside
barrykfl at gmail.com
barrykfl at gmail.com
Wed Mar 8 11:18:27 UTC 2017
Hi:
I already done input new cert but ipa-replica-prepare central03.ABC.com (ipa
3.0) it fail with the error as below:
which "location" I should check the old cert still inside some where
Below I already input CA / server cert ..and nssdb poting is right
..already spent serveral days to check where is it I also try direct use
pfx for the cert directly but same error comesout...seem it still use old
cert to compare.
Any idea ? many thanks
/var/lib/pki-ca/alias
/etc/dirsrv/slapd-PKI-IPA/
/etc/dirsrv/slapd-ABC-COM/
/etc/httpd/alias/
/etc/pki/nssdb/
I use similar commands as below: and follow steps here: https web side
already using new and dirsvr no error on starting only I cannot do replicas
.
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
certutil -A -d /var/lib/pki-ca/alias/ -n 'EXT-CA' -t CT,C,C -a -i
/root/ca.crt
ipa : ERROR cert validation failed for "CN=central.ABC.com,O=
ABC.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to '
https://central.ABCcom:9444/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
Regards
Barry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170308/36a4ced2/attachment.htm>
More information about the Freeipa-users
mailing list