Hello, Enrolling new users is failing because of the certificate issue (curl is throwing an "untrusted certificate" error) ipa-certupdate is throwing an error message too "Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (11): Resource temporarily unavailable"
2017-08-17 22:03 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Sarhan Aissi via FreeIPA-users wrote: > > Hello, > > > > I am using FreeIPA 4.3.1 with Ubuntu Server 16.04 and i tried to add my > > Let's encrypt certificate using the "freeipa-letsencrypt" script (I > replaced Fedora/RHEL commands with ubuntu equivalents): > > https://github.com/freeipa/freeipa-letsencrypt > > > > After restarting freeipa i cannot add new members to the ipa server or > > connect to the REST api. The error message is related to the certificate > > and " (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not > > recognized.". > > > > How can add the Let's encrypt issuer to the trust list or at undo what > > i have done (i don't have any backup for /etc/apache2/nssdb) ? > > The clients need to trust the issuer of your CA cert. > > Try ipa-cacert-manage install to install the chain > > Then on each already-enrolled client run ipa-certupdate > > New clients should get the chain upon enrollment. > > rob > >
_______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org