[Freeipa-users] ipa {user-find} ca cert file
Rob Crittenden
rcritten at redhat.com
Wed Sep 19 14:40:37 UTC 2012
James James wrote:
> Hi,
>
> I have followed this
> http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CA
> and everything works well.
>
> Now when, from the console, I execute
>
> $ ipa user-find
>
> I've got
>
> [root at ipa ipa]# ipa user-find
> ipa: ERROR: cert validation failed for "E=certusser at example.com
> <mailto:certusser at example.com>,CN=ipa.example.com
> <http://ipa.example.com>,OU=TEST,O=TEST,C=FR"
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
> as not trusted by the user.)
> ipa: ERROR: cannot connect to u'http://ipa.lix.example.com/ipa/xml':
> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
> been marked as not trusted by the user.
>
> Any help will be very appreciated ..
You need to add the CA certificate to /etc/pki/nssdb on the client and
mark it as trusted.
Note that installing certificates from another CA is not recommended and
you may run into further corner cases. If you have an existing CA then
installing the IPA dogtag CA as a subordinate is a better long-term
solution.
rob
More information about the Freeipa-users
mailing list