<div dir="ltr"><div>Same as before I already follow  part < 4.1 as below:</div><div><br></div><div><a href="https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1">https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1</a><span><span> </span></span></div><div>comdo cert is new cert /</div><div>It seem I m nearly right ....HTTP server side can read trust cert</div><div>BUT seem dirsrv still lacking of a ca cert to verify it ./..</div><div>but ca.crt changed to new already and imported</div><div><br></div><div>ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com - COMODO CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.)<br>                    <span></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as Certificate Authority, and this file may be outdated. Running ipa-certupdate may fix your issue. See [1]<br>
<br>
If it doesn't, you can start by identifying which certificate expired with<br>
$ sudo getcert list | egrep -e 'expires|Request ID|subject'<br>
<br>
HTH,<br>
Flo<br>
<br>
[1] <a href="https://pagure.io/freeipa/issue/6375" target="_blank" rel="noreferrer">https://pagure.io/freeipa/issu<wbr>e/6375</a><span><br>
<br>
On 03/07/2017 04:14 AM, <a href="mailto:barrykfl@gmail.com" target="_blank">barrykfl@gmail.com</a> wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><span>
gpg<br>
<br>
Creating SSL certificate for the Directory Server<br>
ipa         : ERROR    cert validation failed for "CN=<a href="http://central.ABC.com" target="_blank" rel="noreferrer">central.ABC.com</a><br></span>
<<a href="http://central.ABC.com" target="_blank" rel="noreferrer">http://central.ABC.com</a>>,O=<a href="http://ABC.COM" target="_blank" rel="noreferrer">ABC<wbr>.COM</a> <<a href="http://ABC.COM" target="_blank" rel="noreferrer">http://ABC.COM</a>>"<span><br>
((SEC_ERROR_EXPIRED_CERTIFICAT<wbr>E) Peer's Certificate has expired.)<br>
preparation of replica failed: cannot connect to<br>
'<a href="https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient" target="_blank" rel="noreferrer">https://central.ABC.com:9444/<wbr>ca/ee/ca/profileSubmitSSLClien<wbr>t</a>':<br>
(SEC_ERROR_EXPIRED_CERTIFICATE<wbr>) Peer's Certificate has expired.<br>
cannot connect to<br>
'<a href="https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient" target="_blank" rel="noreferrer">https://central.ABC.com:9444/<wbr>ca/ee/ca/profileSubmitSSLClien<wbr>t</a>':<br>
(SEC_ERROR_EXPIRED_CERTIFICATE<wbr>) Peer's Certificate has expired.<br>
  File "/usr/sbin/ipa-replica-prepare<wbr>", line 490, in <module><br>
    main()<br>
<br>
  File "/usr/sbin/ipa-replica-prepare<wbr>", line 361, in main<br>
    export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",<br>
replica_fqdn, subject_base)<br>
<br>
  File "/usr/sbin/ipa-replica-prepare<wbr>", line 150, in export_certdb<br>
    raise e<br>
<br>
<br>
<br>
</span></blockquote>
<br>
</blockquote></div><br></div>