Re: [Freeipa-users] Problems after install 3rd Party Certs

2016-10-17 Thread Joshua Ruybal 
Forgot to add.

After some digging I saw the CA needed to be added to the nssdbs

I've added the CA cert to:

[root@ipa02 ipa02]# certutil -A -d /etc/pki/nssdb -n 'NewCA' -t CT,C,C -a
-i fullchain.pem
[root@ipa02 ipa02]# certutil -A -d /etc/httpd/alias -n 'NewCA' -t CT,C,C -a
-i fullchain.pem




On Mon, Oct 17, 2016 at 11:32 AM, Joshua Ruybal  wrote:

> Hi,
>
> We've recently tried to change our https web certs for our IPA servers
> following the instructions listed here: https://www.freeipa.org/
> page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> The web gui is successfully using https now, however we are having several
> other problems.
>
> Enrollment now fails for new hosts, and we're unable to install replicas.
>
> Specifically we're seeing this error: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.
>
> Any advice on this?
>
> ipa-server 3.0.0
> CentOS 6.7
>
> Thanks,
>
> --Josh
>



-- 


*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
e: jruy...@owneriq.com


  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problems after install 3rd Party Certs

2016-10-17 Thread Joshua Ruybal 
Hi,

We've recently tried to change our https web certs for our IPA servers
following the instructions listed here:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

The web gui is successfully using https now, however we are having several
other problems.

Enrollment now fails for new hosts, and we're unable to install replicas.

Specifically we're seeing this error: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.

Any advice on this?

ipa-server 3.0.0
CentOS 6.7

Thanks,

--Josh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project