James James wrote:
Hi,

I have followed this
http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CA
and everything works well.

Now when, from the console, I execute

$ ipa user-find

I've got

[root@ipa ipa]# ipa user-find
ipa: ERROR: cert validation failed for "E=certus...@example.com
<mailto:certus...@example.com>,CN=ipa.example.com
<http://ipa.example.com>,OU=TEST,O=TEST,C=FR"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.)
ipa: ERROR: cannot connect to u'http://ipa.lix.example.com/ipa/xml':
[Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
been marked as not trusted by the user.

Any help will be very appreciated ..

You need to add the CA certificate to /etc/pki/nssdb on the client and mark it as trusted.

Note that installing certificates from another CA is not recommended and you may run into further corner cases. If you have an existing CA then installing the IPA dogtag CA as a subordinate is a better long-term solution.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to