Hi, I’ve been suffocating the same problem. I applied ipa-server-certinstall without adding ca first.
I applied your steps and added my ca.crt to /etc/ipa/ca.crt and /etc/ipa/nssdb with certutil, after than I run ipa-certupdate and it still fails.
[root@xxx ~]# certutil -d sql:/etc/ipa/nssdb/ -L
Certificate Nickname Trust Attributes
Xxx IPA CA CT,C,C
After this I ran ipa-certupdate and it says
cannot connect to 'any of the configured servers’: …. (List of my ipaservers goes here)
The ipa-certupdate command failed.
Should I do this process for all servers, or I am missing something? Related to this problem I am having login failure at the web ui. Would it work if I created a new db and added my GlobalSign ca there? Do I need the self signed ipa ca?
PS: I'm running freeipa on rhel8
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to firstname.lastname@example.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://email@example.com
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure