Although I had previously been using a self-signed certificate, I recently started using a cert signed by InCommon CA on my FreeIPA master (still on IPA 3.0.0 at this time).
I added the certificate and intermediate certificates to /etc/ssl/certs and the certificate database in /etc/dirsrc/slapd-EXAMPLE-COM. /etc/httpd/conf.d/nss.conf is pointing to the new certificate for NSSNickname. I can log into the web UI, but when I attempt to delete a host I get the following error: Operations Error Some entries were not deleted Show details Under "Show details": cannot connect to 'https://freeipa.example.com:443/ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate. Likewise, if I attempt to delete a host using the CLI I get an error message: # ipa host-del host-01.example.com ipa: ERROR: cert validation failed for "CN=freeipa.example.com,OU=Example Unit,O=Example Org,L=Example City,ST=MN,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://freeipa.example.com/ipa/xml If I enable the verbose flag -vv, I see that it is making an HTTP POST request to https://freeipa.example.com/ipa/xml. It looks like Firefox on my local client trusts the certificate, but that the server itself does not trust its own certificate when connecting to itself. Can anyone advise on how I can address this issue? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project