Hi Simo, yes, I had tried this and it was still causing the same issue.  If
anyone else encounters a similar problem, here is the solution that worked
for me:

This file:  /usr/lib/python2.4/site-packages/ipaserver/replication.py
Contains this line at the top:  CACERT="/usr/share/ipa/html/ca.crt"
When updating the dirsrv and http server NSS database certs with
ipa-server-certinstall, this particular cert never gets updated.  It keeps
the original self-signed cert that was installed (standalone, not NSS).

Backed up this file, and copied (for me, DigiCertCA2.crt) the proper CA cert
to allow the verification worked finally.  I had tried the full chain, the
primary DigiCertCA.crt cert, etc.  But the one that it wanted was the
DigiCertCA2.crt certificate alone.


>> So, can someone give me some advice about where else it may be reading

>> the certificate from, or how I can do things "the proper way"

>> for IPA?

>/etc/ipa/ca.crt is another place where the cert can be found.
>but for winsync you can pass the cacert on the command line, have you tried
that ?

Freeipa-users mailing list

Reply via email to