Re: [Freeipa-users] Certificate system unavailable

Fri, 14 Feb 2014 07:04:52 -0800 


On Fri, February 14, 2014 15:29, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>
>>
>>
>> It would seem like we're still encountering some issues. The date has now 
>> passed for when the
>> old certificate expired, and the "ipa" cli command no longer works. The 
>> webui is still working
>> just fine.
>>
>> These are the errors I receive.
>>
>>
>> $ ipa user-find
>> ipa: ERROR: cert validation failed for 
>> "CN=serveripa03.example.com,O=EXAMPLE.COM"
>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as 
>> not trusted by the
>> user.) ipa: ERROR: cert validation failed for 
>> "CN=serveripa01.example.com,O=EXAMPLE.COM"
>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as 
>> not trusted by the
>> user.) ipa: ERROR: cert validation failed for 
>> "CN=serveripa02.example.com,O=EXAMPLE.COM"
>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as 
>> not trusted by the
>> user.) ipa: ERROR: cannot connect to Gettext('any of the configured 
>> servers', domain='ipa',
>> localedir=None): https://serveripa03.example.com/ipa/xml,
>> https://serveripa01.example.com/ipa/xml,
>> https://serveripa02.example.com/ipa/xml
>>
>
> This seems more like a client-side issue. Can you confirm that
> /etc/ipa/ca.crt is correct and that the NSS database in /etc/pki/nssdb
> contains the CA?
>
> certutil -L -d /etc/pki/nssdb -n 'IPA CA'
>


The CA seem to be available. I ran the command on ipa01. See below for the 
output.

The issue happens when I'm logged on to any of the ipa servers, and if I'm 
running the ipa command
from a remote machine.


]$ sudo certutil -L -d /etc/pki/nssdb -n 'IPA CA'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=EXAMPLE.COM"
        Validity:
            Not Before: Thu Jan 19 19:44:21 2012
            Not After : Sun Jan 19 19:44:21 2020
        Subject: "CN=Certificate Authority,O=EXAMPLE.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:


Regards,
Siggi


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



























					Reply via email to