Hi Rob once again many thanks for helping!
My guess is that the LE CA certificates are not trusted by the NSS
database that dogtag uses. Assuming you've added those CA certificates
to IPA using ipa-cacert-manage install then running ipa-certupdate
should fix things for you.
rob
I think the LE CA certificates are added with certutil as per the script
I don't know if it runs ipa-cacert-manage install.
I had tried ipa-certupdate as I remember having read that running it
usually fixes a number of issues with the cert setup. It finishes
succesfully.
# ipa-certupdate
trying https://main.domain.io/ipa/json
[try 1]: Forwarding 'schema' to json server
'https://main.domain.io/ipa/json'
trying https://main.domain.io/ipa/session/json
[try 1]: Forwarding 'ca_is_enabled/1' to json server
'https://main.domain.io/ipa/session/json'
[try 1]: Forwarding 'ca_find/1' to json server
'https://main.domain.io/ipa/session/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
But the issue (now my issue is solely in starting pki-tomcatd. I can
connect to the GUI when I access via https I get the new cert, edit DNS
records (adding via web), authenticate to the web interface using
kerberos ticket. BUT the pki-tomcat keeps throwing errors and when I run
"ipactl restart" it fails unless I add the --ignore-service-failure
flag. (and --skip-version-check as well I still have that one stuck).
The certificates are at the $WORKDIR (ipa-le).
New issues: I can't use ldapsearch with 'cn=directory manager' it fails
with "ldap_bind: Invalid credentials (49)" and other apps that use LDAP
with other sysaccount just to bind cannot bind as well. Don't think it
is related to pki-tomcat tho.
Ricardo
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
