Let's tackle these one at a time. Missing tracking for {'cert-nickname': 'Server-Cert', 'ca-name': 'IPA', 'cert-database': '/etc/httpd/alias', 'cert-postsave-command': '/usr/libexec/ipa/certmonger/restart_httpd'}
Did you provide your own certificate for the web server (e.g. like from Let's Encrypt?) What is the value of NSSNickname in /etc/httpd/conf.d/nss.conf? Let me get back to you on the template subjects not matching. I want to run this past the dogtag team to see if my test is correct or not. It could be a red herring. For all of the "Error looking up CA entry in IPA <UUID>: no matching entry found" This means that a subCA is defined in dogtag that is not defined in IPA. This may not be a problem but it is definitely strange. What this test does is compare the contents of ou=authorities,ou=ca,o=ipaca to those in cn=cas,cn=ca,dc=example,dc=com. I'll run this one past the CS team too. In the meantime can you provide some of the contents of those entries that are in dogtag? $ ldapsearch -x -D 'cn=directory manager' -W -b ou=authorities,ou=ca,o=ipaca > /tmp/cas.ldif Validation of /var/lib/ipa/ra-agent.pem failed: Command '/usr/bin/openssl verify /var/lib/ipa/ra-agent.pem' returned non-zero exit status 2 According to the verify(1) man page 2 == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT which suggests that the IPA CA is not in the global cert bundle. This should fix it: # ipa-certupdate Thanks for helping out! rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org