On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote:


I’m still trying to figure out this error but I am getting nothing.

Anyone have any suggestions or ideas on why this is failing?


*From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP)
*Sent:* Monday, April 08, 2013 12:30 PM
*To:* Nathan Kinder
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors


Yup, the client side says the following;

Op=-1 fd=64 closed – Peer does not recognize and trust the CA that issued your certificate.


Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates -

cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert

If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes.

Are you using the IPA CA, or are you managing the CA independently of IPA?

Jatin Nansi

Freeipa-users mailing list

Reply via email to