I do have other CAs (just not the master but it is available offline if needed) Directory server is runningThe apache web server is running and I can get to the guiipa cert-show 1 works Are the TLS errors due to the mismatch in certs between slapd-PKI-CA and slapd-NETWORKFLEET-COM?
-----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Wednesday, March 11, 2015 7:20 PM To: sipazzo; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Need to replace cert for ipa servers sipazzo wrote: > Thanks Rob, I apologize that error was probably not helpful. This is > what I see when running install in debug mode: > > Verifying that ipa2-corp.networkfleet.com (realm EXAMPLE.COM) is an > IPA server Init LDAP connection with: > ldap://ipa2-corp.networkfleet.com:389 > LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer > is not recognized. > Verifying that ipa1-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA > server Init LDAP connection with: ldap://ipa1-xo.networkfleet.com:389 > LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer > is not recognized. > Verifying that ipa1-io.networkfleet.com (realm EXAMPLE.COM) is an IPA > server Init LDAP connection with: ldap://ipa1-io.networkfleet.com:389 > LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer > is not recognized. > Verifying that ipa2-io.networkfleet.com (realm EXAMPLE.COM) is an IPA > server Init LDAP connection with: ldap://ipa2-io.networkfleet.com:389 > LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer > is not recognized. > Verifying that ipa2-xo.networkfleet.com (realm EXAMPLE.COM) is an IPA > server Init LDAP connection with: ldap://ipa2-xo.networkfleet.com:389 > LDAP Error: Connect error: TLS error -8179:Peer's Certificate issuer > is not recognized. > > The certificates are very confusing to me. I don't understand how > things are working when we have a set of GoDaddy certs in > slapd-NETWORKFLEET-COM and a set of the Dogtag certs in slapd-PKI-CA. > The cert in /usr/share/ipa/html/ca.crt looks like the original one > issued by the Dogtag cert system and matches the ones on the clients. > Not to further confuse things but the original master server that > signed all these certs was taken offline months ago due to some issues > it was having. I do still have access to it if necessary. > > As far as why the godaddy certs were swapped out for the Dogtag certs > it was originally for something as simple as the untrusted certificate > dialogue when accessing the ipa gui. I did not swap out the certs so > am unsure of exactly what happened. There is no real need to use the > GoDaddy certs as far as I am concerned. I just want the best solution > to the issues I am seeing as I am in kind of a bind with the GoDaddy > cert being revoked and needing to be replaced and the master Dogtag > certificate server offline. We have a mixed environment with Rhel 5, 6 > and Solaris clients so are not using sssd in all cases. > > I know this is asking a lot but appreciate any help you can give. What is the current state of things? Does your IPA Apache server work? Is 389-ds up and running? Do you have a working IPA CA? Does ipa cert-show 1 work? If the answer is yes to all then we should be able to generate new certs for all the services. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project