On 04/05/2017 01:17 AM, Chris Herdt wrote:
Although I had previously been using a self-signed certificate, I
recently started using a cert signed by InCommon CA on my FreeIPA
master (still on IPA 3.0.0 at this time).
I added the certificate and intermediate certificates to
/etc/ssl/certs and the certificate database in
/etc/dirsrc/slapd-EXAMPLE-COM. /etc/httpd/conf.d/nss.conf is pointing
to the new certificate for NSSNickname.
I can log into the web UI, but when I attempt to delete a host I get
the following error:
Some entries were not deleted
Under "Show details":
cannot connect to
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
Likewise, if I attempt to delete a host using the CLI I get an error message:
# ipa host-del host-01.example.com
ipa: ERROR: cert validation failed for
"CN=freeipa.example.com,OU=Example Unit,O=Example Org,L=Example
City,ST=MN,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
issuer has been marked as not trusted by the user.)
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://freeipa.example.com/ipa/xml
If I enable the verbose flag -vv, I see that it is making an HTTP POST
request to https://freeipa.example.com/ipa/xml.
It looks like Firefox on my local client trusts the certificate, but
that the server itself does not trust its own certificate when
connecting to itself. Can anyone advise on how I can address this
the certificate and intermediate certificates need to be added to all
the NSS databases used by FreeIPA. You can find instructions in the page
"Using 3rd part certificates for HTTP/LDAP > Procedure in IPA < 4.1" .
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project