Took a look at the dogtag logs, the debug log only shows the following
every time I run ipa-replica-prepare.
[27/Oct/2016:12:55:02][http-9444-1]: CMSServlet: curDate=Thu Oct 27
12:55:02 EDT 2016 id=caProfileSubmitSSLClient time=10
The other logs don't appear to have anything.
I tried to run ipa cert-request on one of the servers and get:
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
I've check that the cert is in /etc/httpd/alias, /etc/pki/nssdb,
/etc/dirsrv/slapd-EXAMPLE-COM, and /etc/dirsrv/slapd-PKI-IPA
Is there anywhere else I would need to add the CA cert?
On Thu, Oct 27, 2016 at 5:23 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Joshua Ruybal wrote:
>> While trying to run IPA replica prepare with debug, we see an
>> unexplained failure.
>> Debug seems to show the process running smoothly, then I see:
>> "Certificate issuance failed".
>> Looking at previous mail-archives, I see that someone has run into this
>> before, however all permissions on caIPAserviceCert.cfg are correct (the
>> solution for him).
>> Is there any method to get more details on the failure from
> I'd check the dogtag logs. This error is thrown when no certificate is
> issued by the CA.
> There is no way other than instrumenting the code to get more details
> about the error from ipa-replica-prepare.
*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project