OK Thanks a lot for the solution and for the advice.

2012/9/19 Rob Crittenden <rcrit...@redhat.com>

> James James wrote:
>
>> Hi,
>>
>> I have followed this
>> http://freeipa.org/page/**Certificate_Authority#Using_**
>> Certificates_From_a_Different_**CA<http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CA>
>> and everything works well.
>>
>> Now when, from the console, I execute
>>
>> $ ipa user-find
>>
>> I've got
>>
>> [root@ipa ipa]# ipa user-find
>> ipa: ERROR: cert validation failed for "E=certus...@example.com
>> <mailto:certus...@example.com>**,CN=ipa.example.com
>> <http://ipa.example.com>,OU=**TEST,O=TEST,C=FR"
>>
>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
>> as not trusted by the user.)
>> ipa: ERROR: cannot connect to 
>> u'http://ipa.lix.example.com/**ipa/xml<http://ipa.lix.example.com/ipa/xml>
>> ':
>> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
>> been marked as not trusted by the user.
>>
>> Any help will be very appreciated ..
>>
>
> You need to add the CA certificate to /etc/pki/nssdb on the client and
> mark it as trusted.
>
> Note that installing certificates from another CA is not recommended and
> you may run into further corner cases. If you have an existing CA then
> installing the IPA dogtag CA as a subordinate is a better long-term
> solution.
>
> rob
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to