Thanks! So on the IPA server that is listed in the client's /etc/ipa/default file I ran:
# openssl verify -verbose -CAfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem /var/kerberos/krb5kdc/kdc.crt /var/kerberos/krb5kdc/kdc.crt: O = DOMAIN.COM, CN = ipa-server.do.ma.in error 18 at 0 depth lookup:self signed certificate OK Is that the command that you had in mind? It looks like it's OK. Also as Florence Blanc-Renaud suggested, I ran the `ipa-advise config-server-for-smart-card-auth > config.sh` command and ran it on all the IPA servers with the third-party external CA certs, and they ran successfully. Thanks Florence! I did not see any change after that. The only thing I hadn't done was change the Server-Cert permissions. The kinit command still fails with the DH verification error on the client even though the ticket is issued. I also added a CNAME for the OCSP server listed in the cert and pointed it to a real working IPA server instead of a retired one. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
