Forgot to add. After some digging I saw the CA needed to be added to the nssdbs
I've added the CA cert to: [root@ipa02 ipa02]# certutil -A -d /etc/pki/nssdb -n 'NewCA' -t CT,C,C -a -i fullchain.pem [root@ipa02 ipa02]# certutil -A -d /etc/httpd/alias -n 'NewCA' -t CT,C,C -a -i fullchain.pem On Mon, Oct 17, 2016 at 11:32 AM, Joshua Ruybal <[email protected]> wrote: > Hi, > > We've recently tried to change our https web certs for our IPA servers > following the instructions listed here: https://www.freeipa.org/ > page/Using_3rd_part_certificates_for_HTTP/LDAP > > The web gui is successfully using https now, however we are having several > other problems. > > Enrollment now fails for new hosts, and we're unable to install replicas. > > Specifically we're seeing this error: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's > certificate issuer has been marked as not trusted by the user. > > Any advice on this? > > ipa-server 3.0.0 > CentOS 6.7 > > Thanks, > > --Josh > -- <http://www.owneriq.com/> *Joshua Ruybal | Systems Engineer* o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549> e: [email protected] <https://www.linkedin.com/company/owneriq-inc.> <https://www.facebook.com/OwnerIQ> <https://twitter.com/owneriq> <http://www.owneriq.com/blog/>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
