Hi Simo, yes, I had tried this and it was still causing the same issue. If
anyone else encounters a similar problem, here is the solution that worked
This file: /usr/lib/python2.4/site-packages/ipaserver/replication.py
Contains this line at the top: CACERT="/usr/share/ipa/html/ca.crt"
When updating the dirsrv and http server NSS database certs with
ipa-server-certinstall, this particular cert never gets updated. It keeps
the original self-signed cert that was installed (standalone, not NSS).
Backed up this file, and copied (for me, DigiCertCA2.crt) the proper CA cert
to allow the verification worked finally. I had tried the full chain, the
primary DigiCertCA.crt cert, etc. But the one that it wanted was the
DigiCertCA2.crt certificate alone.
>> So, can someone give me some advice about where else it may be reading
>> the certificate from, or how I can do things "the proper way"
>> for IPA?
>/etc/ipa/ca.crt is another place where the cert can be found.
>but for winsync you can pass the cacert on the command line, have you tried
Freeipa-users mailing list