Hello,
Enrolling new users is failing because of the certificate issue (curl is
throwing an "untrusted certificate" error)
ipa-certupdate is throwing an error message too "Major (851968):
Unspecified GSS failure.  Minor code may provide more information, Minor
(11): Resource temporarily unavailable"

2017-08-17 22:03 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:

> Sarhan Aissi via FreeIPA-users wrote:
> > Hello,
> >
> > I am using FreeIPA 4.3.1 with Ubuntu Server 16.04 and i tried to add my
> > Let's encrypt certificate using the "freeipa-letsencrypt" script (I
> replaced Fedora/RHEL commands with ubuntu equivalents):
> > https://github.com/freeipa/freeipa-letsencrypt
> >
> > After restarting freeipa i cannot add new members to the ipa server or
> > connect to the REST api. The error message is related to the certificate
> > and " (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not
> > recognized.".
> >
> > How can  add the Let's encrypt issuer to the trust list or at undo what
> > i have done (i don't have any backup for /etc/apache2/nssdb) ?
>
> The clients need to trust the issuer of your CA cert.
>
> Try ipa-cacert-manage install to install the chain
>
> Then on each already-enrolled client run ipa-certupdate
>
> New clients should get the chain upon enrollment.
>
> rob
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to