On 08/02/2016 08:19 AM, Florence Blanc-Renaud wrote:
> On 08/02/2016 03:17 PM, Ian Harding wrote:
>> I have been using FreeIPA for a while in our network with 6 replicas and
>> it's been working great. I seem to have made a wee mistake though and
>> I'd appreciate some help.
>> I did this:
>> on one server because I had a new cert for our internal domain and I
>> thought it might be nice to use the same cert for all our internal web
>> It worked fine but now when I'm on that server I get
>> SEC_ERROR_UNTRUSTED_ISSUER when I run ipa commands. Is there any way I
>> can roll this back, or make it work as is?
> Hi Ian,
> if the certificate that you installed was issued by a CA not known by
> IPA (let's call him the issuer), then you need to add this issuer cert
> first using:
> ipa-cacert-manage install <issuer certificate file> -n nickname -t C,,
> kinit admin
> You can check that the issuer cert is properly installed in
> /etc/httpd/alias and /etc/ipa/nssdb with:
> certutil -L -d /etc/httpd/alias
> certutil -L -d /etc/ipa/nssdb
> where it should appear with C,, flags
> Hope this helps,
I seem to have created a problem here.
First some background.
freeipa-sea.bpt.rocks suffered ldap database corruption on a messy
reboot. I tried to delete it from the freeipa ecosystem but did a poor
job, then rebuilt it with the same name and IP address.
Replication issues ensued.
I chose this inopportune time to install the ssl certificate as
I have spent today deleting old replication agreements and
reestablishing them which seems to have worked on most of the replicas.
However I see this now on most of them
[root@bpt-nyc1-nfs ianh]# ipa-csreplica-manage list
Directory Manager password:
freeipa-sea.bpt.rocks: CA not configured
Is this related to the original deletion or the subsequent addition of
the certificate? I installed the replicas with their own CA.
I have added the certificate root to the replicas as mentioned above.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project