On 23. okt. 2017 19:45, Bhavin Vaidya via FreeIPA-users wrote:
We did manage to delete the certificates, all but the right one (we
figured out looking at clients' /etc/ipa/ca.crt)
I have seen /etc/ipa/ca.crt get out of date before. It wasn't updated
automatically when renewing the CA cert, though I was using 3.x versions
at the time. Thankfully, it's easy to check. You can open up the Web UI
and check what the expiry date is in the browser. If it matches the
below, just ignore this message.
Successfully retrieved CA cert
Subject: CN=Certificate
Authority,O=EXAMPLE.COM
Issuer: CN=Certificate
Authority,O=EXAMPLE.COM
Valid From: Thu Jun 01 12:55:08 2017 UTC
Valid Until: Mon Jun 01 12:55:08 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST
transaction. Peer certificate cannot be authenticated with known CA
certificates