Hi, you can manually add the new CA to the NSS databases: - /etc/dirsrv/slapd-xxx - /etc/ipa/nssdb - /etc/pki/pki-tomcat/alias (if you have configured an embedded CA) - /etc/httpd/alias (if IPA version < 4.7)
and to the PEM files /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt. ipa-certupdate needs the services to be up and running, what is the output of "ipactl status" on your server? flo On Sun, Oct 17, 2021 at 1:21 AM cicek adam via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, I’ve been suffocating the same problem. I applied > ipa-server-certinstall without adding ca first. > I applied your steps and added my ca.crt to /etc/ipa/ca.crt and > /etc/ipa/nssdb with certutil, after than I run ipa-certupdate and it still > fails. > > [root@xxx ~]# certutil -d sql:/etc/ipa/nssdb/ -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Xxx IPA CA CT,C,C > globalsign CT,C,C > > After this I ran ipa-certupdate and it says > > cannot connect to 'any of the configured servers’: …. (List of my > ipaservers goes here) > The ipa-certupdate command failed. > > Should I do this process for all servers, or I am missing something? > Related to this problem I am having login failure at the web ui. Would it > work if I created a new db and added my GlobalSign ca there? Do I need the > self signed ipa ca? > > PS: I'm running freeipa on rhel8 > > Thanks. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure