A massive thank you to Jan Cholasta for handholding me while I was getting this problem fixed. This is how we did it...
1. List all CA certificates in LDAP directory: ldapsearch -b cn=certificates,cn=ipa,$basedn 2. Using ldapdelete (or LDAP browser), get rid of all certificates that shouldn't be there, in my case there were 2 called "CA 1" and "CA 2" 3. On each server, list all certificates in the following databases ($db): - /etc/httpd/alias/ - /etc/dirsrv/slapd-IPA-YOUR-REALM/ - /etc/pki/nssdb/ - /etc/ipa/nssdb/ certutil -L -d $db 4. On each server, delete duplicated certificates ($nick = Certificate Nickname) from the above databases. Please note, this step removed both correct and incorrect certificates: certutil -D -d $db -n "$nick" 5. We had a conflict between one of our intermediate CA certificates supplied by Gandi and a system certificate (potentially installed by ca-certificates package) therefore we had to run the following command on every server to stop the system cert being loaded into httpd database: modutil -dbdir /etc/httpd/alias -disable 'Root Certs' -force 6. Lastly, we ran the following command on every server to load correct certificates into all databases: ipa-certupdate At this point we had a fully functioning system again with the correct SSL certificate chain being served by both httpd and dirsrv services. Please note, an incorrect CA certificate was re-added to the LDAP directory later on when I deployed a new node and I had to repeat step 2 before running ipa-certupdate on the new replica. Once again, I would like to thank Jan for his input - keep up the good work! -- Kind regards, Peter Pakos
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project