It failed again.
[root@cache2-uat ~]# certutil -L -d sql:/etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI [root@cache2-uat ~]# Not sure if its related, but on the directory server in the apache error.log I see the below every time a client tries to register: [Sat Dec 06 00:48:35 2014] [error] SSL Library Error: -12271 SSL client cannot verify your certificate On the directory server i ran ipa-getcert list and the certs seem ok. On Fri, Dec 5, 2014 at 5:10 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Megan . wrote: >> Sorry for being unclear. It still fails. Same error. > > Hmm, strange. Try being explicit about sql: > > # certutil -L -d sql:/etc/pki/nssdb > > And if there is a CA cert there, delete it. > > rob > >> >> On Dec 5, 2014 4:39 PM, "Rob Crittenden" <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Megan . wrote: >> > Thanks. >> > >> > I did have an issue last week where i tried to do the client install >> > and it failed because of a firewall issue. Networks has it opened >> > now. I deleted ca.crt before trying again. There doesn't seem to be >> > a certificate in /etc/pki/nssdb for it. >> > >> > >> > >> > [root@data2-uat ipa]# certutil -L -d /etc/pki/nssdb >> > >> > >> > Certificate Nickname Trust >> Attributes >> > >> > >> SSL,S/MIME,JAR/XPI >> > >> > >> > [root@data2-uat ipa]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb >> > >> > certutil: could not find certificate named "IPA CA": >> > SEC_ERROR_BAD_DATABASE: security library: bad database. >> > >> > [root@data2-uat ipa]# ls >> > >> > [root@data2-uat ipa]# pwd >> > >> > /etc/ipa >> > >> > [root@data2-uat ipa]# ls -al >> > >> > total 16 >> > >> > drwxr-xr-x. 2 root root 4096 Dec 5 21:16 . >> > >> > drwxr-xr-x. 82 root root 12288 Dec 5 21:16 .. >> > >> > [root@data2-uat ipa]# >> >> So trying to install the client again fails or succeeds now? >> >> rob >> >> > >> > On Fri, Dec 5, 2014 at 4:03 PM, Rob Crittenden >> <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote: >> >> Rob Crittenden wrote: >> >>> Megan . wrote: >> >>>> Good Day! >> >>>> >> >>>> I am getting an error when i register new clients. >> >>>> >> >>>> libcurl failed to execute the HTTP POST transaction. SSL >> connect error >> >>>> >> >>>> I can't find anything useful not the internet about the error. Can >> >>>> someone help me troubleshoot? >> >>>> >> >>>> CentOS 6.6 x64 >> >>>> ipa-client-3.0.0-42.el6.centos.x86_64 >> >>>> ipa-server-3.0.0-42.el6.centos.x86_64 >> >>>> curl-7.19.7-40.el6_6.1.x86_64 >> >>> >> >>> Do you have NSS_DEFAULT_DB_TYPE set to sql? I don't know that >> we've done >> >>> any testing on the client with this set. >> >> >> >> Never mind, that's not it. The problem is: >> >> >> >> * NSS error -8054 >> >> >> >> Which is SEC_ERROR_REUSED_ISSUER_AND_SERIAL >> >> >> >> So I'd do this: >> >> >> >> # rm /etc/ipa/ca.crt >> >> >> >> You may also want to ensure that the IPA CA certificate isn't in >> >> /etc/pki/nssdb: >> >> >> >> # certutil -L -d /etc/pki/nssdb >> >> >> >> And then perhaps >> >> >> >> # certutil -D -n 'IPA CA' -d /etc/pki/nssdb >> >> >> >> rob >> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project