<div dir="ltr"><div>same as as replica gpg making.////...Found this cert 2015 expired only,,? but I follow manual here:</div><div><br></div><div><a href="https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1" target="_blank">https://www.freeipa.org/page/<wbr>Using_3rd_part_certificates_<wbr>for_HTTP/LDAP#Procedure_in_<wbr>IPA_.3C_4.1</a><span><span> </span></span></div><div><span><span><br></span></span></div><div><span><span>It imported as EXT-CA as Alias rather than sever cert by default...Is there anywhere pointing wrong ?</span></span></div><div><br></div><div>Certificate Nickname Trust Attributes<br> SSL,S/MIME,JAR/XPI</div><div>*.ABC.com ,,<br>EXT-CA CT,C,C<br><a href="http://ABC.COM">ABC.COM</a> IPA CA CT,,C<br>Server-Cert u,u,u<br><span><span><br></span></span></div><div><br>Request ID '20160516111257':<br> status: CA_UNREACHABLE<br> ca-error: Server at <a href="https://central.ABC.com/ipa/xml">https://central.ABC.com/ipa/xml</a> failed request, will retry: 907 (RPC failed at server. cannot connect to '<a href="https://central.ABC.com:443/ca/agent/ca/displayBySerial">https://central.ABC.com:443/ca/agent/ca/displayBySerial</a>': (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.).<br> stuck: no<br> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'<br> CA: IPA<br> issuer: CN=Certificate Authority,O=<a href="http://ABC.COM">ABC.COM</a><br> subject: CN=<a href="http://central.ABC.com">central.ABC.com</a>,O=<a href="http://ABC.COM">ABC.COM</a><br> expires: 2015-11-23 08:42:52 UTC<br> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br> eku: id-kp-serverAuth,id-kp-clientAuth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA<br> track: yes<br> auto-renew: yes<span></span></div><div class="gmail_extra"><br><div class="gmail_quote">2017-03-07 19:24 GMT+08:00 Barry <span dir="ltr"><<a href="mailto:kliu@alumni.warwick.ac.uk" target="_blank">kliu@alumni.warwick.ac.uk</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr"><div>Same as before I already follow part < 4.1 as below:</div><div><br></div><div><a href="https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1" target="_blank">https://www.freeipa.org/page/<wbr>Using_3rd_part_certificates_<wbr>for_HTTP/LDAP#Procedure_in_<wbr>IPA_.3C_4.1</a><span><span> </span></span></div><div>comdo cert is new cert /</div><div>It seem I m nearly right ....HTTP server side can read trust cert</div><div>BUT seem dirsrv still lacking of a ca cert to verify it ./..</div><div>but ca.crt changed to new already and imported</div><div><br></div><div>ABC-COM...[07/Mar/2017:19:17:<wbr>22 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com - COMODO CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.)<br> <span></span></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">Hi,<br>
<br>
In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as Certificate Authority, and this file may be outdated. Running ipa-certupdate may fix your issue. See [1]<br>
<br>
If it doesn't, you can start by identifying which certificate expired with<br>
$ sudo getcert list | egrep -e 'expires|Request ID|subject'<br>
<br>
HTH,<br>
Flo<br>
<br>
[1] <a href="https://pagure.io/freeipa/issue/6375" target="_blank" rel="noreferrer">https://pagure.io/freeipa/issu<wbr>e/6375</a><span><br>
<br>
On 03/07/2017 04:14 AM, <a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a> wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><span>
gpg<br>
<br>
Creating SSL certificate for the Directory Server<br>
ipa : ERROR cert validation failed for "CN=<a href="http://central.ABC.com" target="_blank" rel="noreferrer">central.ABC.com</a><br></span>
<<a href="http://central.ABC.com" target="_blank" rel="noreferrer">http://central.ABC.com</a>>,O=<a href="http://ABC.COM" target="_blank" rel="noreferrer">ABC<wbr>.COM</a> <<a href="http://ABC.COM" target="_blank" rel="noreferrer">http://ABC.COM</a>>"<span><br>
((SEC_ERROR_EXPIRED_CERTIFICAT<wbr>E) Peer's Certificate has expired.)<br>
preparation of replica failed: cannot connect to<br>
'<a href="https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient" target="_blank" rel="noreferrer">https://central.ABC.com:9444/<wbr>ca/ee/ca/profileSubmitSSLClien<wbr>t</a>':<br>
(SEC_ERROR_EXPIRED_CERTIFICATE<wbr>) Peer's Certificate has expired.<br>
cannot connect to<br>
'<a href="https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient" target="_blank" rel="noreferrer">https://central.ABC.com:9444/<wbr>ca/ee/ca/profileSubmitSSLClien<wbr>t</a>':<br>
(SEC_ERROR_EXPIRED_CERTIFICATE<wbr>) Peer's Certificate has expired.<br>
File "/usr/sbin/ipa-replica-prepare<wbr>", line 490, in <module><br>
main()<br>
<br>
File "/usr/sbin/ipa-replica-prepare<wbr>", line 361, in main<br>
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",<br>
replica_fqdn, subject_base)<br>
<br>
File "/usr/sbin/ipa-replica-prepare<wbr>", line 150, in export_certdb<br>
raise e<br>
<br>
<br>
<br>
</span></blockquote>
<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>