Hi,

In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as Certificate Authority, and this file may be outdated. Running ipa-certupdate may fix your issue. See [1]


If it doesn't, you can start by identifying which certificate expired with
$ sudo getcert list | egrep -e 'expires|Request ID|subject'

HTH,
Flo

[1] https://pagure.io/freeipa/issue/6375

On 03/07/2017 04:14 AM, barry...@gmail.com wrote:
gpg

Creating SSL certificate for the Directory Server
ipa         : ERROR    cert validation failed for "CN=central.ABC.com
<http://central.ABC.com>,O=ABC.COM <http://ABC.COM>"
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to
'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
cannot connect to
'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
  File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
    main()

  File "/usr/sbin/ipa-replica-prepare", line 361, in main
    export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)

  File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
    raise e




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to