Hey, Here is the output;
Server-Cert u,u,u I am using nss-3-13.3-6 I am using the IPA CA. Matt -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jatin Nansi Sent: Wednesday, April 10, 2013 9:36 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: > > Hey, > > I'm still trying to figure out this error but I am getting nothing. > > Anyone have any suggestions or ideas on why this is failing? > > Matt > > *From:*freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, > Matthew (EXP) > *Sent:* Monday, April 08, 2013 12:30 PM > *To:* Nathan Kinder > *Cc:* freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install > errors > > Hey, > > > Yup, the client side says the following; > > Op=-1 fd=64 closed - Peer does not recognize and trust the CA that > issued your certificate. > > Matt > Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users