[email protected] wrote: > same as as replica gpg making.////...Found this cert 2015 expired > only,,? but I follow manual here: > > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1 > <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1> >
If you are using 3rd party certs elsewhere then why not provide 3rd party certs for this replica as well? It seems like you aren't using the IPA-provided CA at all given its certs expired in 2015. rob > > It imported as EXT-CA as Alias rather than sever cert by default...Is > there anywhere pointing wrong ? > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > *.ABC.com ,, > EXT-CA CT,C,C > ABC.COM <http://ABC.COM> IPA > CA CT,,C > Server-Cert u,u,u > > > Request ID '20160516111257': > status: CA_UNREACHABLE > ca-error: Server at https://central.ABC.com/ipa/xml failed > request, will retry: 907 (RPC failed at server. cannot connect to > 'https://central.ABC.com:443/ca/agent/ca/displayBySerial': > (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=ABC.COM <http://ABC.COM> > subject: CN=central.ABC.com <http://central.ABC.com>,O=ABC.COM > <http://ABC.COM> > expires: 2015-11-23 08:42:52 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA > track: yes > auto-renew: yes > > 2017-03-07 19:24 GMT+08:00 Barry <[email protected] > <mailto:[email protected]>>: > > Same as before I already follow part < 4.1 as below: > > > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1 > > <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1> > > comdo cert is new cert / > It seem I m nearly right ....HTTP server side can read trust cert > BUT seem dirsrv still lacking of a ca cert to verify it ./.. > but ca.crt changed to new already and imported > > ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > *.ABC.com - COMODO CA Limited of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error > -8179 - Peer's Certificate issuer is not recognized.) > > > 2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <[email protected] > <mailto:[email protected]>>: > > Hi, > > In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as > Certificate Authority, and this file may be outdated. Running > ipa-certupdate may fix your issue. See [1] > > If it doesn't, you can start by identifying which certificate > expired with > $ sudo getcert list | egrep -e 'expires|Request ID|subject' > > HTH, > Flo > > [1] https://pagure.io/freeipa/issue/6375 > <https://pagure.io/freeipa/issue/6375> > > On 03/07/2017 04:14 AM, [email protected] > <mailto:[email protected]> wrote: > > gpg > > Creating SSL certificate for the Directory Server > ipa : ERROR cert validation failed for > "CN=central.ABC.com <http://central.ABC.com> > <http://central.ABC.com>,O=ABC.COM <http://ABC.COM> > <http://ABC.COM>" > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has > expired.) > preparation of replica failed: cannot connect to > 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient > <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient>': > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. > cannot connect to > 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient > <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient>': > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. > File "/usr/sbin/ipa-replica-prepare", line 490, in <module> > main() > > File "/usr/sbin/ipa-replica-prepare", line 361, in main > export_certdb(api.env.realm, ds_dir, dir, passwd_fname, > "dscert", > replica_fqdn, subject_base) > > File "/usr/sbin/ipa-replica-prepare", line 150, in > export_certdb > raise e > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
