Joseph, Matthew (EXP) wrote:
Hey,
Here is the output;
Server-Cert u,u,u
I am using nss-3-13.3-6
I am using the IPA CA.
The thing is, the IPA CA isn't there for some reason, on either side.
You should also have something like
EXAMPLE.COM IPA CA Ct,C,C
You might check the working master with somethign like:
certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-REALM
That will validate the cert trust. I'd suspect it will fail.
So you'd need to add the IPA CA.
certutil -A -n 'EXAMPLE.COM IPA CA' -d /etc/dirsrv/slapd-REALM -t CT,C,C
-a -i /etc/ipa/ca.crt
This may address the symptom but how you ended up with the CA missing is
baffling.
rob
Matt
-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jatin Nansi
Sent: Wednesday, April 10, 2013 9:36 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote:
Hey,
I'm still trying to figure out this error but I am getting nothing.
Anyone have any suggestions or ideas on why this is failing?
Matt
*From:*freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph,
Matthew (EXP)
*Sent:* Monday, April 08, 2013 12:30 PM
*To:* Nathan Kinder
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install
errors
Hey,
Yup, the client side says the following;
Op=-1 fd=64 closed - Peer does not recognize and trust the CA that
issued your certificate.
Matt
Check the version of the nss package on your IPA server. There was a change
that went into nss-3.14 that disables support for certificate signatures using
the MD5 hash algorithm. To check if you are using MD5 certificate signatures,
use this command to examine the certificates -
cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert
If this is the case, the workaround is to downgrade the nss package to version
3.13. The fix is to re-issue your certificates using the SHA256 hashes.
Are you using the IPA CA, or are you managing the CA independently of IPA?
--
Jatin Nansi
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users