On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote:
> Here is the output from the submit:
>
> /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
> Submitting request to "https://ipa01.ctidata.net/ipa/xml";.
> Fault -504: (libcurl failed to execute the HTTP POST transaction,
> explaining: Peer certificate cannot be authenticated with known CA
> certificates).
> Server failed request, will retry: -504 (libcurl failed to execute the HTTP
> POST transaction, explaining: Peer certificate cannot be authenticated
> with known CA certificates).
>
> Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July
> 6, 2019.
Hmm, so for both cases, you're seeing errors verifying the IPA server's
certificate. Can you double-check the certificates and that the
server's looks like it was issued by the CA?
This should more or less repeat the part of the process that's giving
libcurl trouble, and show us the certificates, too:
ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=`
openssl s_client -CAfile /etc/ipa/ca.crt \
-connect $ipahost:https -showcerts < /dev/null
Nalin
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
