On 08/02/2016 03:17 PM, Ian Harding wrote:
Hello!

I have been using FreeIPA for a while in our network with 6 replicas and
it's been working great.  I seem to have made a wee mistake though and
I'd appreciate some help.

I did this:

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

on one server because I had a new cert for our internal domain and I
thought it might be nice to use the same cert for all our internal web
services.

It worked fine but now when I'm on that server I get
SEC_ERROR_UNTRUSTED_ISSUER when I run ipa commands.  Is there any way I
can roll this back, or make it work as is?

Thanks!

-Ian

Hi Ian,

if the certificate that you installed was issued by a CA not known by IPA (let's call him the issuer), then you need to add this issuer cert first using:
ipa-cacert-manage install <issuer certificate file> -n nickname -t C,,
kinit admin
ipa-certupdate

You can check that the issuer cert is properly installed in /etc/httpd/alias and /etc/ipa/nssdb with:
certutil -L -d /etc/httpd/alias
certutil -L -d /etc/ipa/nssdb
where it should appear with C,, flags

Hope this helps,
Flo.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to