Hi, On Tue, Mar 15, 2022 at 2:19 PM Eric Boisvert via FreeIPA-users < [email protected]> wrote:
> Good morning, > > I don't know what happened, but this morning the ipa cert-show 1 command > is working and it's showing an old certificate. > > That's normal as the cert with serial = 1 is the one created when IPA server was installed and the IPA CA got created. > Also the CMS error is gone on the FreeIPA server. > > Firefox is still showing the error message. > Firefox stores the trusted CAs and you can manually remove the conflicting one: Edit > Settings > Privacy & Security > Certificates > View Certificates... In the Authorities tab, you can look for your original root CA (for which the key was lost) / the one that you created with the same subject name, and remove it. > After copying the /etc/pki/ca-trust/source/ipa.p11-kit from the server to > a client > Doing the kinit > Running update-ca-trust > Running ipa-ckiniertupdate > > I still got Major (851968): Unspecified GSS failure. Minor code may > provide more information, Minor (2529639122): Generic preauthentication > failure > > With this version of IPA, you need to run kinit admin before ipa-certupdate. If this doesn't solve the issue, please paste the output of ipa-certupdate -v, it will help troubleshoot. flo > Should I go back in time on the client server or it's possible to be at > the current time when doing manipulation? > > I guess there is something wrong with how my clients are setup and that > I'm really close to fix almost everything. > > Eric > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
