Same as before I already follow part < 4.1 as below: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
comdo cert is new cert / It seem I m nearly right ....HTTP server side can read trust cert BUT seem dirsrv still lacking of a ca cert to verify it ./.. but ca.crt changed to new already and imported ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com - COMODO CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) 2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <f...@redhat.com>: > Hi, > > In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as Certificate > Authority, and this file may be outdated. Running ipa-certupdate may fix > your issue. See [1] > > If it doesn't, you can start by identifying which certificate expired with > $ sudo getcert list | egrep -e 'expires|Request ID|subject' > > HTH, > Flo > > [1] https://pagure.io/freeipa/issue/6375 > > On 03/07/2017 04:14 AM, barry...@gmail.com wrote: > >> gpg >> >> Creating SSL certificate for the Directory Server >> ipa : ERROR cert validation failed for "CN=central.ABC.com >> <http://central.ABC.com>,O=ABC.COM <http://ABC.COM>" >> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) >> preparation of replica failed: cannot connect to >> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient': >> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. >> cannot connect to >> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient': >> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. >> File "/usr/sbin/ipa-replica-prepare", line 490, in <module> >> main() >> >> File "/usr/sbin/ipa-replica-prepare", line 361, in main >> export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", >> replica_fqdn, subject_base) >> >> File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb >> raise e >> >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project