Hi, I’ve been suffocating the same problem. I applied ipa-server-certinstall without adding ca first. I applied your steps and added my ca.crt to /etc/ipa/ca.crt and /etc/ipa/nssdb with certutil, after than I run ipa-certupdate and it still fails.
[root@xxx ~]# certutil -d sql:/etc/ipa/nssdb/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Xxx IPA CA CT,C,C globalsign CT,C,C After this I ran ipa-certupdate and it says cannot connect to 'any of the configured servers’: …. (List of my ipaservers goes here) The ipa-certupdate command failed. Should I do this process for all servers, or I am missing something? Related to this problem I am having login failure at the web ui. Would it work if I created a new db and added my GlobalSign ca there? Do I need the self signed ipa ca? PS: I'm running freeipa on rhel8 Thanks. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure