seli irithyl wrote:
# getcert list
returns 9 request ID. All 9 are in status "MONITORING" and expire after
2017.
So no expired certificate.
Number of certificates and requests being tracked: 9.
[snip]
Request ID '20150313092456':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=BIOINF.LOCAL
subject: CN=lead.bioinf.local,O=BIOINF.LOCAL
expires: 2017-03-13 09:24:56 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[ more snip ]
> Unfortunately when trying to run any ipa command:
> [root@lead ~]# ipa service-find lead.bioinf.local
> ipa: ERROR: cert validation failed for
>
"E=root@lead.bioinf.local,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--"
> ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.)
> ipa: ERROR: cannot connect to 'https://lead.bioinf.local/ipa/json':
> (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.
Note that the subject of the certmonger-tracked certificate is different
from the subject reported in the error. This looks like a default
mod_ssl-generated certificate to me. Did you tweak your Apache config?
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project