> What is the serial number for the two "QC.LRTECH.CA IPA CA" > certificates? Are they different? If not that would explain the Firefox > error.
They are different: Serial Number: 4098 (0x1002) Serial Number: 00:8a:58:8a:64:a9:7d:dc:a0 > On the IPA server with the CA up, does ipa cert-show 1 work? > > If not we need to work on that first. It means the CA isn't quite > functioning despite the renewed certificates. No ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500) > With the renewed certificates you shouldn't have to fiddle with time > anymore. Do basic operations work on the server with current time? What is a basic operations? I can do ipactl restart, status without problem. I can do getcert list. kinit is working. certutil is working too > I'm not sure if this is a typo or not, # certutil -L -d /etc/httpd/nssdb > > Did you mean /etc/pki/nssdb? It wasn't a typo and I looked in /etc/pki/nssdb and it was empty. I'm not the one that setup FreeIPA so if something isn't at the right place I can't really explain why. Eric _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure