[Freeipa-users] Replica fail to create , all new cert already inside
Rob Crittenden
rcritten at redhat.com
Fri Mar 10 16:20:26 UTC 2017
barrykfl at gmail.com wrote:
> Hi:
>
> I already done input new cert but ipa-replica-prepare central03.ABC.com
> <http://central03.ABC.com> (ipa 3.0) it fail with the error as below:
> which "location" I should check the old cert still inside some where
>
> Below I already input CA / server cert ..and nssdb poting is right
> ..already spent serveral days to check where is it I also try direct use
> pfx for the cert directly but same error comesout...seem it still use
> old cert to compare.
>
> Any idea ? many thanks
>
> /var/lib/pki-ca/alias
> /etc/dirsrv/slapd-PKI-IPA/
> /etc/dirsrv/slapd-ABC-COM/
> /etc/httpd/alias/
> /etc/pki/nssdb/
>
> I use similar commands as below: and follow steps here: https web side
> already using new and dirsvr no error on starting only I cannot do
> replicas .
>
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
>
> certutil -A -d /var/lib/pki-ca/alias/ -n 'EXT-CA' -t CT,C,C -a -i
> /root/ca.crt
>
>
> ipa : ERROR cert validation failed for "CN=central.ABC.com
> <http://central.ABC.com>,O=ABC.COM <http://ABC.COM>"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
> preparation of replica failed: cannot connect to
> 'https://central.ABCcom:9444/ca/ee/ca/profileSubmitSSLClient':
> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>
> Regards
>
> Barry
>
>
Please stop creating new threads all for the same issue.
Your CA subsystem certs are expired and you'll need to go through the
renewal process to fix that. To do that you need to run `getcert list`
and determine the time period where all the certs are valid, set the
system time to then, restart IPA, restart certmonger.
Knowing that you are using 3rd party certs instead perhaps this doesn't
really matter to you. In any case you probably won't have much luck
mixing and matching certificates between IPA-issued and whatever 3rd
part you're using.
The bottom line is you probably want to get 3rd party certs from
whatever issuer provided the certs for your current master(s), stick
those into PKCS#12 file(s) and pass that to ipa-replica-manage.
So like I said in
https://www.redhat.com/archives/freeipa-users/2017-March/msg00096.html ,
man ipa-replica-manage.
rob
More information about the Freeipa-users
mailing list