Z D via FreeIPA-users wrote: > Rob, I'd love to test your tool, as part of working on my problem > "ipa.service fails to start", but I still run 4.4.0-12.0.1.el7.x86_64, hence > do you think this is the obstacle?
I haven't tried it. It won't hurt anything to try though. > Again, as part of "ipa.service fails to start" work, I was hoping to add new > IPA server 4.5.4, but ipa-replica-prepare (from v4.4.0) fails with: > > Creating SSL certificate for the Directory Server > cannot connect to > 'https://ca-ldap02.domain.com:8443/ca/ee/ca/profileSubmitSSLClient': > (SSL_ERROR_EXPIRED_CERT_ALERT) > SSL peer rejected your certificate as expired. Without a CA you can't create a replica. > One more thing, mine domain level is 0, will it help raising to 1 and is this > process harmful? > I am desperate to try things that can possibly lead to resolving my expire > cert problems. Trying to upgrade would not help and could make things worse. Check out this thread for configuring dogtag to use basic LDAP auth instead of cert auth, it might help unstick things: https://www.redhat.com/archives/freeipa-users/2017-January/msg00216.html rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
