externaly signed CA - Godaddy Exppired. Already add new to db /etc/https/alias / -L and config nickname map in /etc/http/config.d/nss.conf Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to? Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname map in dse.ldif
Start stop IPA no cert issue . but server ipa prepare fail. IPA replica still say cert expiry , any where I missed ? Thanks 2016-05-25 19:30 GMT+08:00 Martin Basti <[email protected]>: > > > On 25.05.2016 04:36, Barry wrote: > > Hi: > > Which location i should renew cert? > Http/alias > Etc/dirsrv/slapd* > > Enough? > > > We need to know if you have IPA configured with > * externaly signed CA > * or selfsigned CA > * or if you have any other certificates from different CAs > > If I remember correctly you wrote in one email that you have a certificate > from godaddy, which certificate? > > In case you have self signed CA certificate you should follow: > http://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > Martin > > 2016年5月24日 下午10:01 於 "Rob Crittenden" <[email protected]> 寫道: > >> [email protected] wrote: >> >>> hi all: >>> >>> >>> Thx ad title >>> >>> ipa : ERROR cert validation failed for "CN=server.abc.com >>> <http://server.abc.com>,O=WISER S.COM <http://S.COM>" >>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) >>> preparation of replica failed: cannot connect to >>> 'https://server.ABC.com:944 4/ca/ee/ca/profileSubmitSSLClient': >>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi ficate has expired. >>> cannot connect to >>> 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie nt': >>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. >>> >> >> The root of all your problems is that your certificates are expired. >> Fixing this should be your priority. This is probably going to involve >> going back in time to when the certificates are still valid, restarting >> IPA, restarting certmonger and waiting for things to properly renew. It can >> take some time as the certificates don't all renew at once. >> >> I suspect that once renewed and returned to current time the rest of your >> problems will, for the most part, go away. >> >> rob >> > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
