On 08/02/2016 03:17 PM, Ian Harding wrote:

I have been using FreeIPA for a while in our network with 6 replicas and
it's been working great.  I seem to have made a wee mistake though and
I'd appreciate some help.

I did this:


on one server because I had a new cert for our internal domain and I
thought it might be nice to use the same cert for all our internal web

It worked fine but now when I'm on that server I get
SEC_ERROR_UNTRUSTED_ISSUER when I run ipa commands.  Is there any way I
can roll this back, or make it work as is?



Hi Ian,

if the certificate that you installed was issued by a CA not known by IPA (let's call him the issuer), then you need to add this issuer cert first using:
ipa-cacert-manage install <issuer certificate file> -n nickname -t C,,
kinit admin

You can check that the issuer cert is properly installed in /etc/httpd/alias and /etc/ipa/nssdb with:
certutil -L -d /etc/httpd/alias
certutil -L -d /etc/ipa/nssdb
where it should appear with C,, flags

Hope this helps,

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to