On 08/18/2017 05:46 PM, Sarhan Aissi via FreeIPA-users wrote:
Hi,
I got another error when trying the command again:
trying https://ipa.example.net/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://ipa.example.net/ipa/json'
cert validation failed for "CN=ipa.example.net" ((SEC_ERROR_UNKNOWN_ISSUER)
Peer's Certificate issuer is not recognized.)
Forwarding 'env' to json server 'https://ipa.example.net/ipa/json'
cert validation failed for "CN=ipa.example.net" ((SEC_ERROR_UNKNOWN_ISSUER)
Peer's Certificate issuer is not recognized.)
cannot connect to 'https://ipa.example.net/ipa/json':
(SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.
The ipa-certupdate command failed.
I have the same error in both clients and server.
On 18/08/2017 16:20, Florence Blanc-Renaud wrote:
On 08/18/2017 09:53 AM, Sarhan via FreeIPA-users wrote:
Hello,
Enrolling new users is failing because of the certificate issue (curl
is throwing an "untrusted certificate" error)
ipa-certupdate is throwing an error message too "Major (851968):
Unspecified GSS failure. Minor code may provide more information,
Minor (11): Resource temporarily unavailable"
Hi,
you need to perform "kinit admin" before running ipa-certupdate
(ipa-certupdate needs to be authenticated via kerberos to grab the
certificates from the LDAP server).
Also note that ipa-certupdate needs to be run on all IPA machines
(clients and servers).
HTH,
Flo
2017-08-17 22:03 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>:
Sarhan Aissi via FreeIPA-users wrote:
> Hello,
>
> I am using FreeIPA 4.3.1 with Ubuntu Server 16.04 and i tried
to add my
> Let's encrypt certificate using the "freeipa-letsencrypt"
script (I replaced Fedora/RHEL commands with ubuntu equivalents):
> https://github.com/freeipa/freeipa-letsencrypt
<https://github.com/freeipa/freeipa-letsencrypt>
>
> After restarting freeipa i cannot add new members to the ipa
server or
> connect to the REST api. The error message is related to the
certificate
> and " (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not
> recognized.".
>
> How can add the Let's encrypt issuer to the trust list or at
undo what
> i have done (i don't have any backup for /etc/apache2/nssdb) ?
The clients need to trust the issuer of your CA cert.
Try ipa-cacert-manage install to install the chain
Then on each already-enrolled client run ipa-certupdate
New clients should get the chain upon enrollment.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hi,
I would start by checking which certificate is used by the httpd server.
You can try to open the URI in a web browser and view the certificate.
Note which certificate authority provided the cert, and compare with
what you are expecting.
Then check if /etc/ipa/ca.crt contains the CA certificate:
openssl x509 -noout -text -in /etc/ipa/ca.crt
If it is not the case, you can copy-paste the CA cert in the file
(append the cert but do not erase the other ones).
HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org