Ricardo Mendes wrote: > Hi Rob once again many thanks for helping! > >> My guess is that the LE CA certificates are not trusted by the NSS >> database that dogtag uses. Assuming you've added those CA certificates >> to IPA using ipa-cacert-manage install then running ipa-certupdate >> should fix things for you. >> >> rob > > I think the LE CA certificates are added with certutil as per the script > I don't know if it runs ipa-cacert-manage install.
If you ran setup-le.sh then yes. > I had tried ipa-certupdate as I remember having read that running it > usually fixes a number of issues with the cert setup. It finishes > succesfully. > > # ipa-certupdate > trying https://main.domain.io/ipa/json > [try 1]: Forwarding 'schema' to json server > 'https://main.domain.io/ipa/json' > trying https://main.domain.io/ipa/session/json > [try 1]: Forwarding 'ca_is_enabled/1' to json server > 'https://main.domain.io/ipa/session/json' > [try 1]: Forwarding 'ca_find/1' to json server > 'https://main.domain.io/ipa/session/json' > Systemwide CA database updated. > Systemwide CA database updated. > The ipa-certupdate command was successful > > But the issue (now my issue is solely in starting pki-tomcatd. I can > connect to the GUI when I access via https I get the new cert, edit DNS > records (adding via web), authenticate to the web interface using > kerberos ticket. BUT the pki-tomcat keeps throwing errors and when I run > "ipactl restart" it fails unless I add the --ignore-service-failure > flag. (and --skip-version-check as well I still have that one stuck). > The certificates are at the $WORKDIR (ipa-le). You'd need to look at the certs in the tomcat NSS database and/or look at the 389-ds access log to see why the bind failed. > New issues: I can't use ldapsearch with 'cn=directory manager' it fails > with "ldap_bind: Invalid credentials (49)" and other apps that use LDAP > with other sysaccount just to bind cannot bind as well. Don't think it > is related to pki-tomcat tho. Neither would be affected by the certificates. rob > > Ricardo > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
