Sigbjorn Lie wrote:



It would seem like we're still encountering some issues. The date has now 
passed for when the old
certificate expired, and the "ipa" cli command no longer works. The webui is 
still working just
fine.

These are the errors I receive.

$ ipa user-find
ipa: ERROR: cert validation failed for 
"CN=serveripa03.example.com,O=EXAMPLE.COM"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not 
trusted by the
user.)
ipa: ERROR: cert validation failed for 
"CN=serveripa01.example.com,O=EXAMPLE.COM"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not 
trusted by the
user.)
ipa: ERROR: cert validation failed for 
"CN=serveripa02.example.com,O=EXAMPLE.COM"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not 
trusted by the
user.)
ipa: ERROR: cannot connect to Gettext('any of the configured servers', 
domain='ipa',
localedir=None): https://serveripa03.example.com/ipa/xml, 
https://serveripa01.example.com/ipa/xml,
https://serveripa02.example.com/ipa/xml

This seems more like a client-side issue. Can you confirm that /etc/ipa/ca.crt is correct and that the NSS database in /etc/pki/nssdb contains the CA?

certutil -L -d /etc/pki/nssdb -n 'IPA CA'

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to