barry...@gmail.com wrote:
externaly signed CA - Godaddy Exppired.

Already add new to db /etc/https/alias / -L  and config nickname map in
/etc/http/config.d/nss.conf
Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to?
Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname map in dse.ldif

Start stop IPA no cert issue . but server ipa prepare fail.

IPA replica still say cert expiry , any where I missed ?


ipa-replica-prepare needs certificates, one for the new web server and one for the new LDAP server. If certificates aren't provided on the cli it will attempt to get them from the IPA CA. Your CA not working, hence the failure.

rob


Thanks


2016-05-25 19:30 GMT+08:00 Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>>:



    On 25.05.2016 04:36, Barry wrote:

    Hi:

    Which location i should renew cert?
    Http/alias
    Etc/dirsrv/slapd*

    Enough?


    We need to know if you have IPA configured with
    * externaly signed CA
    * or selfsigned CA
    * or if you have any other certificates from different CAs

    If I remember correctly you wrote in one email that you have a
    certificate from godaddy, which certificate?

    In case you have self signed CA certificate you should follow:
    http://www.freeipa.org/page/Howto/CA_Certificate_Renewal

    Martin
    2016年5月24日 下午10:01 於 "Rob Crittenden" <rcrit...@redhat.com
    <mailto:rcrit...@redhat.com>> 寫道:

        <mailto:barry...@gmail.com>barry...@gmail.com
        <mailto:barry...@gmail.com> wrote:

            hi all:


            Thx ad title

            ipa         : ERROR    cert validation failed for
            "CN=server.abc.com <http://server.abc.com>
            <http://server.abc.com>,O=WISER S.COM <http://S.COM>
            <<http://S.COM>http://S.COM>"
            ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has
            expired.)
            preparation of replica failed: cannot connect to
            'https://server.ABC.com:944
            4/ca/ee/ca/profileSubmitSSLClient':
            (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi
            ficate has expired.
            cannot connect to
            'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie
                    nt':
            (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has
            expired.


        The root of all your problems is that your certificates are
        expired. Fixing this should be your priority. This is probably
        going to involve going back in time to when the certificates
        are still valid, restarting IPA, restarting certmonger and
        waiting for things to properly renew. It can take some time as
        the certificates don't all renew at once.

        I suspect that once renewed and returned to current time the
        rest of your problems will, for the most part, go away.

        rob





    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go to http://freeipa.org for more info on the project



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to