[Freeipa-users] ipa {user-find} ca cert file
James James
jreg2k at gmail.com
Wed Sep 19 14:48:01 UTC 2012
OK Thanks a lot for the solution and for the advice.
2012/9/19 Rob Crittenden <rcritten at redhat.com>
> James James wrote:
>
>> Hi,
>>
>> I have followed this
>> http://freeipa.org/page/**Certificate_Authority#Using_**
>> Certificates_From_a_Different_**CA<http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CA>
>> and everything works well.
>>
>> Now when, from the console, I execute
>>
>> $ ipa user-find
>>
>> I've got
>>
>> [root at ipa ipa]# ipa user-find
>> ipa: ERROR: cert validation failed for "E=certusser at example.com
>> <mailto:certusser at example.com>**,CN=ipa.example.com
>> <http://ipa.example.com>,OU=**TEST,O=TEST,C=FR"
>>
>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
>> as not trusted by the user.)
>> ipa: ERROR: cannot connect to u'http://ipa.lix.example.com/**ipa/xml<http://ipa.lix.example.com/ipa/xml>
>> ':
>> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
>> been marked as not trusted by the user.
>>
>> Any help will be very appreciated ..
>>
>
> You need to add the CA certificate to /etc/pki/nssdb on the client and
> mark it as trusted.
>
> Note that installing certificates from another CA is not recommended and
> you may run into further corner cases. If you have an existing CA then
> installing the IPA dogtag CA as a subordinate is a better long-term
> solution.
>
> rob
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120919/0953399f/attachment.htm>
More information about the Freeipa-users
mailing list