Hi,

I got another error when trying the command again:

trying https://ipa.example.net/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://ipa.example.net/ipa/json'
cert validation failed for "CN=ipa.example.net" ((SEC_ERROR_UNKNOWN_ISSUER) 
Peer's Certificate issuer is not recognized.)
Forwarding 'env' to json server 'https://ipa.example.net/ipa/json'
cert validation failed for "CN=ipa.example.net" ((SEC_ERROR_UNKNOWN_ISSUER) 
Peer's Certificate issuer is not recognized.)
cannot connect to 'https://ipa.example.net/ipa/json': 
(SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.
The ipa-certupdate command failed.

I have the same error in both clients and server.
On 18/08/2017 16:20, Florence Blanc-Renaud wrote:
> On 08/18/2017 09:53 AM, Sarhan via FreeIPA-users wrote:
>> Hello,
>> Enrolling new users is failing because of the certificate issue (curl
>> is throwing an "untrusted certificate" error)
>> ipa-certupdate is throwing an error message too "Major (851968):
>> Unspecified GSS failure.  Minor code may provide more information,
>> Minor (11): Resource temporarily unavailable"
>>
> Hi,
>
> you need to perform "kinit admin" before running ipa-certupdate
> (ipa-certupdate needs to be authenticated via kerberos to grab the
> certificates from the LDAP server).
>
> Also note that ipa-certupdate needs to be run on all IPA machines
> (clients and servers).
>
> HTH,
> Flo
>
>> 2017-08-17 22:03 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>>:
>>
>>     Sarhan Aissi via FreeIPA-users wrote:
>>     > Hello,
>>     >
>>     > I am using FreeIPA 4.3.1 with Ubuntu Server 16.04 and i tried
>> to add my
>>     > Let's encrypt certificate using the "freeipa-letsencrypt"
>> script (I replaced Fedora/RHEL commands with ubuntu equivalents):
>>     > https://github.com/freeipa/freeipa-letsencrypt
>>     <https://github.com/freeipa/freeipa-letsencrypt>
>>     >
>>     > After restarting freeipa i cannot add new members to the ipa
>> server or
>>     > connect to the REST api. The error message is related to the
>> certificate
>>     > and " (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not
>>     > recognized.".
>>     >
>>     > How can  add the Let's encrypt issuer to the trust list or at
>> undo what
>>     > i have done (i don't have any backup for /etc/apache2/nssdb) ?
>>
>>     The clients need to trust the issuer of your CA cert.
>>
>>     Try ipa-cacert-manage install to install the chain
>>
>>     Then on each already-enrolled client run ipa-certupdate
>>
>>     New clients should get the chain upon enrollment.
>>
>>     rob
>>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>>
>

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to