Harald Dunkel via FreeIPA-users wrote:
> See attachment.
> Please note the "invalid certificate". Du you remember the thread
> on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails
> after root certificate change via ipa-cacert-manage" and the
> output of "ipa-certupdate -v" I had posted?

The ipa-certupdate error was a red herring. IPA was just looking for all
possible CA certs it could know about.

It does look like the trust is wrong on your CA cert in the tomcat NSS

# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
[ snip ]
caSigningCert cert-pki-ca                                    CTu,Cu,Cu

If yours isn't that you can try modifying it with:

# certutil -M -d /var/lib/pki/pki-tomcat/ca/alias -n "caSigningCert
cert-pki-ca" -t CTu,Cu,Cu

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to