On 08/18/2017 09:53 AM, Sarhan via FreeIPA-users wrote:
Hello,
Enrolling new users is failing because of the certificate issue (curl is throwing an "untrusted certificate" error) ipa-certupdate is throwing an error message too "Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (11): Resource temporarily unavailable"

Hi,

you need to perform "kinit admin" before running ipa-certupdate (ipa-certupdate needs to be authenticated via kerberos to grab the certificates from the LDAP server).

Also note that ipa-certupdate needs to be run on all IPA machines (clients and servers).

HTH,
Flo

2017-08-17 22:03 GMT+01:00 Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>>:

    Sarhan Aissi via FreeIPA-users wrote:
    > Hello,
    >
    > I am using FreeIPA 4.3.1 with Ubuntu Server 16.04 and i tried to add my
    > Let's encrypt certificate using the "freeipa-letsencrypt" script (I 
replaced Fedora/RHEL commands with ubuntu equivalents):
    > https://github.com/freeipa/freeipa-letsencrypt
    <https://github.com/freeipa/freeipa-letsencrypt>
    >
    > After restarting freeipa i cannot add new members to the ipa server or
    > connect to the REST api. The error message is related to the certificate
    > and " (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not
    > recognized.".
    >
    > How can  add the Let's encrypt issuer to the trust list or at undo what
    > i have done (i don't have any backup for /etc/apache2/nssdb) ?

    The clients need to trust the issuer of your CA cert.

    Try ipa-cacert-manage install to install the chain

    Then on each already-enrolled client run ipa-certupdate

    New clients should get the chain upon enrollment.

    rob




_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to