Took a look at the dogtag logs, the debug log only shows the following every time I run ipa-replica-prepare.
[27/Oct/2016:12:55:02][http-9444-1]: CMSServlet: curDate=Thu Oct 27 12:55:02 EDT 2016 id=caProfileSubmitSSLClient time=10 The other logs don't appear to have anything. I tried to run ipa cert-request on one of the servers and get: (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate. I've check that the cert is in /etc/httpd/alias, /etc/pki/nssdb, /etc/dirsrv/slapd-EXAMPLE-COM, and /etc/dirsrv/slapd-PKI-IPA Is there anywhere else I would need to add the CA cert? On Thu, Oct 27, 2016 at 5:23 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Joshua Ruybal wrote: > >> While trying to run IPA replica prepare with debug, we see an >> unexplained failure. >> >> Debug seems to show the process running smoothly, then I see: >> "Certificate issuance failed". >> >> Looking at previous mail-archives, I see that someone has run into this >> before, however all permissions on caIPAserviceCert.cfg are correct (the >> solution for him). >> >> Is there any method to get more details on the failure from >> ipa-replica-prepare? >> > > I'd check the dogtag logs. This error is thrown when no certificate is > issued by the CA. > > There is no way other than instrumenting the code to get more details > about the error from ipa-replica-prepare. > > rob > > -- <http://www.owneriq.com/> *Joshua Ruybal | Systems Engineer* o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549> e: jruy...@owneriq.com <https://www.linkedin.com/company/owneriq-inc.> <https://www.facebook.com/OwnerIQ> <https://twitter.com/owneriq> <http://www.owneriq.com/blog/>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project