Forgot to add.

After some digging I saw the CA needed to be added to the nssdbs

I've added the CA cert to:

[root@ipa02 ipa02]# certutil -A -d /etc/pki/nssdb -n 'NewCA' -t CT,C,C -a
-i fullchain.pem
[root@ipa02 ipa02]# certutil -A -d /etc/httpd/alias -n 'NewCA' -t CT,C,C -a
-i fullchain.pem




On Mon, Oct 17, 2016 at 11:32 AM, Joshua Ruybal <jruy...@owneriq.com> wrote:

> Hi,
>
> We've recently tried to change our https web certs for our IPA servers
> following the instructions listed here: https://www.freeipa.org/
> page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> The web gui is successfully using https now, however we are having several
> other problems.
>
> Enrollment now fails for new hosts, and we're unable to install replicas.
>
> Specifically we're seeing this error: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.
>
> Any advice on this?
>
> ipa-server 3.0.0
> CentOS 6.7
>
> Thanks,
>
> --Josh
>



-- 
<http://www.owneriq.com/>

*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
e: jruy...@owneriq.com

<https://www.linkedin.com/company/owneriq-inc.>
<https://www.facebook.com/OwnerIQ>  <https://twitter.com/owneriq>
<http://www.owneriq.com/blog/>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to