earlier today I was reading a post about the new freeipa version on my
mobile device and got plenty of warnings about an invalid certificate. On a
fedora laptop no warnings, but this is the problem:
$ curl -LIv https://www.freeipa.org
* Rebuilt URL to: https://www.freeipa.org/
* Hostname was NOT found in DNS cache
* Trying 18.104.22.168...
* Connected to www.freeipa.org (22.214.171.124) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* Server certificate:
* subject: CN=www.freeipa.org,O=Red Hat Inc.,L=Raleigh,ST=North
* start date: Jul 16 00:00:00 2014 GMT
* expire date: Jul 19 12:00:00 2016 GMT
* common name: www.freeipa.org
* issuer: CN=DigiCert SHA2 High Assurance Server
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
You need to add the intermediate digicert certrificate, it seems.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project