Although I had previously been using a self-signed certificate, I
recently started using a cert signed by InCommon CA on my FreeIPA
master (still on IPA 3.0.0 at this time).
I added the certificate and intermediate certificates to
/etc/ssl/certs and the certificate database in
/etc/dirsrc/slapd-EXAMPLE-COM. /etc/httpd/conf.d/nss.conf is pointing
to the new certificate for NSSNickname.
I can log into the web UI, but when I attempt to delete a host I get
the following error:
Some entries were not deleted
Under "Show details":
cannot connect to
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
Likewise, if I attempt to delete a host using the CLI I get an error message:
# ipa host-del host-01.example.com
ipa: ERROR: cert validation failed for
"CN=freeipa.example.com,OU=Example Unit,O=Example Org,L=Example
City,ST=MN,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
issuer has been marked as not trusted by the user.)
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://freeipa.example.com/ipa/xml
If I enable the verbose flag -vv, I see that it is making an HTTP POST
request to https://freeipa.example.com/ipa/xml.
It looks like Firefox on my local client trusts the certificate, but
that the server itself does not trust its own certificate when
connecting to itself. Can anyone advise on how I can address this
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project