<div dir="ltr"><div><font color="#500050">I think I already input all ca cert and server cert</font></div><div><font color="#500050"><br></font></div><div><br></div><font color="#500050"><div>certutil -d /etc/dirsrv/slapd-PKI-IPA/ -L<br><span><span> Trust Attributes<br> SSL,S/MIME,JAR/XPI</span></span></div><div>*.<a href="http://wisers.com">wisers.com</a> < it is the server wild card cert already<span><span><span><span><br>EXT-CA CT,C,C <is the combo cert CA<span><span><br><a href="http://ABC.COM">ABC.COM</a> IPA CA CT,,C<br>Server-Cert u,u,u<span><span><br></span></span></span></span></span></span></span></span></div><div><br></div><div><br></div><div>When I make replica it comes out error form master server <a href="http://central.ABC.com">central.ABC.com</a> ..any I missing? </div><div><br></div><div>Creating SSL certificate for the dogtag Directory Server<br>ipa : ERROR cert validation failed for "CN=central.ABC ROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)<br>preparation of replica failed: cannot connect to '<a href="https://central.ABC9444/ca/ee/ca/profileSubmitSSLClient">https://central.ABC9444/ca/ee/ca/profileSubmitSSLClient</a>': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.<br>cannot connect to '<a href="https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient">https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient</a>': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.<br> File "/usr/sbin/ipa-replica-prepare", line 490, in <module><span><span><br></span></span></div></font><div><font color="#500050"><br></font></div><div><font color="#500050"><br></font></div><div><font color="#500050"><br></font></div><div><font color="#500050"><br></font></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-03-07 21:51 GMT+08:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> wrote:<br>
> same as as replica gpg making.////...Found this cert 2015 expired<br>
> only,,? but I follow manual here:<br>
><br>
> <a href="https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1" target="_blank" rel="noreferrer">https://www.freeipa.org/page/<wbr>Using_3rd_part_certificates_<wbr>for_HTTP/LDAP#Procedure_in_<wbr>IPA_.3C_4.1</a><br>
</span>> <<a href="https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1" target="_blank" rel="noreferrer">https://www.freeipa.org/page/<wbr>Using_3rd_part_certificates_<wbr>for_HTTP/LDAP#Procedure_in_<wbr>IPA_.3C_4.1</a>><br>
<br>
If you are using 3rd party certs elsewhere then why not provide 3rd<br>
party certs for this replica as well?<br>
<br>
It seems like you aren't using the IPA-provided CA at all given its<br>
certs expired in 2015.<br>
<br>
rob<br>
<span><br>
><br>
> It imported as EXT-CA as Alias rather than sever cert by default...Is<br>
> there anywhere pointing wrong ?<br>
><br>
> Certificate Nickname Trust<br>
> Attributes<br>
><br>
> SSL,S/MIME,JAR/XPI<br>
> *.ABC.com ,,<br>
> EXT-CA CT,C,C<br>
</span>> <a href="http://ABC.COM" target="_blank" rel="noreferrer">ABC.COM</a> <<a href="http://ABC.COM" target="_blank" rel="noreferrer">http://ABC.COM</a>> IPA<br>
<span>> CA CT,,C<br>
> Server-Cert u,u,u<br>
><br>
><br>
> Request ID '20160516111257':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Server at <a href="https://central.ABC.com/ipa/xml" target="_blank" rel="noreferrer">https://central.ABC.com/ipa/<wbr>xml</a> failed<br>
> request, will retry: 907 (RPC failed at server. cannot connect to<br>
> '<a href="https://central.ABC.com:443/ca/agent/ca/displayBySerial" target="_blank" rel="noreferrer">https://central.ABC.com:443/<wbr>ca/agent/ca/displayBySerial</a>':<br>
> (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.).<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/<wbr>dirsrv/slapd-PKI-IPA',<wbr>nickname='Server-Cert',token='<wbr>NSS<br>
> Certificate DB',pinfile='/etc/dirsrv/<wbr>slapd-PKI-IPA/pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/<wbr>dirsrv/slapd-PKI-IPA',<wbr>nickname='Server-Cert',token='<wbr>NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
</span>> issuer: CN=Certificate Authority,O=<a href="http://ABC.COM" target="_blank" rel="noreferrer">ABC.COM</a> <<a href="http://ABC.COM" target="_blank" rel="noreferrer">http://ABC.COM</a>><br>
> subject: CN=<a href="http://central.ABC.com" target="_blank" rel="noreferrer">central.ABC.com</a> <<a href="http://central.ABC.com" target="_blank" rel="noreferrer">http://central.ABC.com</a>>,O=<a href="http://ABC.COM" target="_blank" rel="noreferrer">ABC<wbr>.COM</a><br>
> <<a href="http://ABC.COM" target="_blank" rel="noreferrer">http://ABC.COM</a>><br>
<span>> expires: 2015-11-23 08:42:52 UTC<br>
> key usage:<br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
> pre-save command:<br>
> post-save command: /usr/lib64/ipa/certmonger/<wbr>restart_dirsrv PKI-IPA<br>
> track: yes<br>
> auto-renew: yes<br>
><br>
> 2017-03-07 19:24 GMT+08:00 Barry <<a href="mailto:kliu@alumni.warwick.ac.uk">kliu@alumni.warwick.ac.uk</a><br>
</span>> <mailto:<a href="mailto:kliu@alumni.warwick.ac.uk">kliu@alumni.warwick.<wbr>ac.uk</a>>>:<br>
<span>><br>
> Same as before I already follow part < 4.1 as below:<br>
><br>
> <a href="https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1" target="_blank" rel="noreferrer">https://www.freeipa.org/page/<wbr>Using_3rd_part_certificates_<wbr>for_HTTP/LDAP#Procedure_in_<wbr>IPA_.3C_4.1</a><br>
> <<a href="https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1" target="_blank" rel="noreferrer">https://www.freeipa.org/page/<wbr>Using_3rd_part_certificates_<wbr>for_HTTP/LDAP#Procedure_in_<wbr>IPA_.3C_4.1</a>><br>
> comdo cert is new cert /<br>
> It seem I m nearly right ....HTTP server side can read trust cert<br>
> BUT seem dirsrv still lacking of a ca cert to verify it ./..<br>
> but ca.crt changed to new already and imported<br>
><br>
> ABC-COM...[07/Mar/2017:19:17:<wbr>22 +0800] - SSL alert:<br>
> CERT_VerifyCertificateNow: verify certificate failed for cert<br>
> *.ABC.com - COMODO CA Limited of family<br>
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error<br>
> -8179 - Peer's Certificate issuer is not recognized.)<br>
><br>
><br>
> 2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <<a href="mailto:flo@redhat.com">flo@redhat.com</a><br>
</span>> <mailto:<a href="mailto:flo@redhat.com">flo@redhat.com</a>>>:<br>
<span>><br>
> Hi,<br>
><br>
> In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as<br>
> Certificate Authority, and this file may be outdated. Running<br>
> ipa-certupdate may fix your issue. See [1]<br>
><br>
> If it doesn't, you can start by identifying which certificate<br>
> expired with<br>
> $ sudo getcert list | egrep -e 'expires|Request ID|subject'<br>
><br>
> HTH,<br>
> Flo<br>
><br>
> [1] <a href="https://pagure.io/freeipa/issue/6375" target="_blank" rel="noreferrer">https://pagure.io/freeipa/<wbr>issue/6375</a><br>
> <<a href="https://pagure.io/freeipa/issue/6375" target="_blank" rel="noreferrer">https://pagure.io/freeipa/<wbr>issue/6375</a>><br>
><br>
> On 03/07/2017 04:14 AM, <a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a><br>
</span><span>> <mailto:<a href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a>> wrote:<br>
><br>
> gpg<br>
><br>
> Creating SSL certificate for the Directory Server<br>
> ipa : ERROR cert validation failed for<br>
> "CN=<a href="http://central.ABC.com" target="_blank" rel="noreferrer">central.ABC.com</a> <<a href="http://central.ABC.com" target="_blank" rel="noreferrer">http://central.ABC.com</a>><br>
> <<a href="http://central.ABC.com" target="_blank" rel="noreferrer">http://central.ABC.com</a>>,O=<a href="http://ABC.COM" target="_blank" rel="noreferrer">ABC<wbr>.COM</a> <<a href="http://ABC.COM" target="_blank" rel="noreferrer">http://ABC.COM</a>><br>
> <<a href="http://ABC.COM" target="_blank" rel="noreferrer">http://ABC.COM</a>>"<br>
> ((SEC_ERROR_EXPIRED_<wbr>CERTIFICATE) Peer's Certificate has<br>
> expired.)<br>
> preparation of replica failed: cannot connect to<br>
</span>> '<a href="https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient" target="_blank" rel="noreferrer">https://central.ABC.com:9444/<wbr>ca/ee/ca/<wbr>profileSubmitSSLClient</a> <<a href="https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient" target="_blank" rel="noreferrer">https://central.ABC.com:9444/<wbr>ca/ee/ca/<wbr>profileSubmitSSLClient</a>>':<br>
<span>> (SEC_ERROR_EXPIRED_<wbr>CERTIFICATE) Peer's Certificate has expired.<br>
> cannot connect to<br>
</span>> '<a href="https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient" target="_blank" rel="noreferrer">https://central.ABC.com:9444/<wbr>ca/ee/ca/<wbr>profileSubmitSSLClient</a> <<a href="https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient" target="_blank" rel="noreferrer">https://central.ABC.com:9444/<wbr>ca/ee/ca/<wbr>profileSubmitSSLClient</a>>':<br>
<div class="HOEnZb"><div class="h5">> (SEC_ERROR_EXPIRED_<wbr>CERTIFICATE) Peer's Certificate has expired.<br>
> File "/usr/sbin/ipa-replica-<wbr>prepare", line 490, in <module><br>
> main()<br>
><br>
> File "/usr/sbin/ipa-replica-<wbr>prepare", line 361, in main<br>
> export_certdb(api.env.realm, ds_dir, dir, passwd_fname,<br>
> "dscert",<br>
> replica_fqdn, subject_base)<br>
><br>
> File "/usr/sbin/ipa-replica-<wbr>prepare", line 150, in<br>
> export_certdb<br>
> raise e<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div>