seli irithyl wrote:
# getcert list
returns 9 request ID. All 9 are in status "MONITORING" and expire after
So no expired certificate.

Number of certificates and requests being tracked: 9.
Request ID '20150313092456':
     status: MONITORING
     stuck: no
     key pair storage:
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=BIOINF.LOCAL
     subject: CN=lead.bioinf.local,O=BIOINF.LOCAL
     expires: 2017-03-13 09:24:56 UTC
     key usage:
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/lib64/ipa/certmonger/restart_httpd
     track: yes
     auto-renew: yes

[ more snip ]
    > Unfortunately when trying to run any ipa command:
    > [root@lead ~]# ipa service-find lead.bioinf.local
    > ipa: ERROR: cert validation failed for
    > ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.)
    > ipa: ERROR: cannot connect to 'https://lead.bioinf.local/ipa/json':
    > (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.

Note that the subject of the certmonger-tracked certificate is different from the subject reported in the error. This looks like a default mod_ssl-generated certificate to me. Did you tweak your Apache config?


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to