Sorry for the third reply in a row, A coworker was able to fix the
GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639122): Generic preauthentication failure by doing # kinit admin # mv /etc/krb5.keytab /etc/krb5.keytab-BACKUP # ipa-getkeytab -s freeipa.qc.lrtech.ca -p host/client.qc.lrtech...@qc.lrtech.ca -k /etc/krb5.keytab and I was able to fix ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) by manually adding my root CA to /etc/ipa/nssdb with the command # certutil -A -i -t CT,C,C -d /etc/ipa/nssdb -n "E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=QC,C=CA" After that the ipa-certupdate command was successful, but those old certificates that I talked about earlier came back and I add to manually delete them. Again I had to modifie my root CA in the /etc/ipa/nssdb because it lost is trusted attributes CT,C,C Then I was able to resubmit my client certificate to FreeIPA. Hooray!!! Am I suppose to do all that manual work? Does it exist an IPA command to remove those annoying certificates and save my root CA trusted state? My client can now communicate with my FreeIPA, but he's still giving me my old certificate when I access is URL in Firefox or Chrome. Should I manually add my root CA to another database? /etc/ipa/nssdb - root CA is present /etc/httpd/alias - Not here /etc/httpd/nssdb - Not here Eric _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure