On 07/10/2015 04:36 PM, Natxo Asenjo wrote:
earlier today I was reading a post about the new freeipa version on my mobile
device and got plenty of warnings about an invalid certificate. On a fedora
laptop no warnings, but this is the problem:
$ curl -LIv https://www.freeipa.org
* Rebuilt URL to: https://www.freeipa.org/
* Hostname was NOT found in DNS cache
* Trying 22.214.171.124...
* Connected to www.freeipa.org <http://www.freeipa.org> (126.96.36.199) port 443
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* Server certificate:
* subject: CN=www.freeipa.org <http://www.freeipa.org>,O=Red Hat
* start date: Jul 16 00:00:00 2014 GMT
* expire date: Jul 19 12:00:00 2016 GMT
* common name: www.freeipa.org <http://www.freeipa.org>
* issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
You need to add the intermediate digicert certrificate, it seems.
Sorry for the late reply, I just returned from a longer PTO... I checked the
site and finally figured out how to stuff the intermediate certificate to our
The issue now appears to be fixed, please try it and push back if it isn't :-)
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project