On 08/02/2016 03:17 PM, Ian Harding wrote:
Hello!
I have been using FreeIPA for a while in our network with 6 replicas and
it's been working great. I seem to have made a wee mistake though and
I'd appreciate some help.
I did this:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
on one server because I had a new cert for our internal domain and I
thought it might be nice to use the same cert for all our internal web
services.
It worked fine but now when I'm on that server I get
SEC_ERROR_UNTRUSTED_ISSUER when I run ipa commands. Is there any way I
can roll this back, or make it work as is?
Thanks!
-Ian
Hi Ian,
if the certificate that you installed was issued by a CA not known by
IPA (let's call him the issuer), then you need to add this issuer cert
first using:
ipa-cacert-manage install <issuer certificate file> -n nickname -t C,,
kinit admin
ipa-certupdate
You can check that the issuer cert is properly installed in
/etc/httpd/alias and /etc/ipa/nssdb with:
certutil -L -d /etc/httpd/alias
certutil -L -d /etc/ipa/nssdb
where it should appear with C,, flags
Hope this helps,
Flo.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
