YES! Thank you so much. On 08/02/2016 08:19 AM, Florence Blanc-Renaud wrote: > On 08/02/2016 03:17 PM, Ian Harding wrote: >> Hello! >> >> I have been using FreeIPA for a while in our network with 6 replicas and >> it's been working great. I seem to have made a wee mistake though and >> I'd appreciate some help. >> >> I did this: >> >> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP >> >> on one server because I had a new cert for our internal domain and I >> thought it might be nice to use the same cert for all our internal web >> services. >> >> It worked fine but now when I'm on that server I get >> SEC_ERROR_UNTRUSTED_ISSUER when I run ipa commands. Is there any way I >> can roll this back, or make it work as is? >> >> Thanks! >> >> -Ian >> > Hi Ian, > > if the certificate that you installed was issued by a CA not known by > IPA (let's call him the issuer), then you need to add this issuer cert > first using: > ipa-cacert-manage install <issuer certificate file> -n nickname -t C,, > kinit admin > ipa-certupdate > > You can check that the issuer cert is properly installed in > /etc/httpd/alias and /etc/ipa/nssdb with: > certutil -L -d /etc/httpd/alias > certutil -L -d /etc/ipa/nssdb > where it should appear with C,, flags > > Hope this helps, > Flo. >
-- Ian Harding IT Director Brown Paper Tickets 1-800-838-3006 ext 7186 http://www.brownpapertickets.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project