Hi, I got another error when trying the command again:
trying https://ipa.example.net/ipa/json Forwarding 'ca_is_enabled' to json server 'https://ipa.example.net/ipa/json' cert validation failed for "CN=ipa.example.net" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) Forwarding 'env' to json server 'https://ipa.example.net/ipa/json' cert validation failed for "CN=ipa.example.net" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) cannot connect to 'https://ipa.example.net/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. The ipa-certupdate command failed. I have the same error in both clients and server. On 18/08/2017 16:20, Florence Blanc-Renaud wrote: > On 08/18/2017 09:53 AM, Sarhan via FreeIPA-users wrote: >> Hello, >> Enrolling new users is failing because of the certificate issue (curl >> is throwing an "untrusted certificate" error) >> ipa-certupdate is throwing an error message too "Major (851968): >> Unspecified GSS failure. Minor code may provide more information, >> Minor (11): Resource temporarily unavailable" >> > Hi, > > you need to perform "kinit admin" before running ipa-certupdate > (ipa-certupdate needs to be authenticated via kerberos to grab the > certificates from the LDAP server). > > Also note that ipa-certupdate needs to be run on all IPA machines > (clients and servers). > > HTH, > Flo > >> 2017-08-17 22:03 GMT+01:00 Rob Crittenden <[email protected] >> <mailto:[email protected]>>: >> >> Sarhan Aissi via FreeIPA-users wrote: >> > Hello, >> > >> > I am using FreeIPA 4.3.1 with Ubuntu Server 16.04 and i tried >> to add my >> > Let's encrypt certificate using the "freeipa-letsencrypt" >> script (I replaced Fedora/RHEL commands with ubuntu equivalents): >> > https://github.com/freeipa/freeipa-letsencrypt >> <https://github.com/freeipa/freeipa-letsencrypt> >> > >> > After restarting freeipa i cannot add new members to the ipa >> server or >> > connect to the REST api. The error message is related to the >> certificate >> > and " (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not >> > recognized.". >> > >> > How can add the Let's encrypt issuer to the trust list or at >> undo what >> > i have done (i don't have any backup for /etc/apache2/nssdb) ? >> >> The clients need to trust the issuer of your CA cert. >> >> Try ipa-cacert-manage install to install the chain >> >> Then on each already-enrolled client run ipa-certupdate >> >> New clients should get the chain upon enrollment. >> >> rob >> >> >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
