In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as Certificate Authority, and this file may be outdated. Running ipa-certupdate may fix your issue. See [1]

If it doesn't, you can start by identifying which certificate expired with
$ sudo getcert list | egrep -e 'expires|Request ID|subject'


[1] https://pagure.io/freeipa/issue/6375

On 03/07/2017 04:14 AM, barry...@gmail.com wrote:

Creating SSL certificate for the Directory Server
ipa         : ERROR    cert validation failed for "CN=central.ABC.com
<http://central.ABC.com>,O=ABC.COM <http://ABC.COM>"
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
cannot connect to
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
  File "/usr/sbin/ipa-replica-prepare", line 490, in <module>

  File "/usr/sbin/ipa-replica-prepare", line 361, in main
    export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)

  File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
    raise e

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to