you can manually add the new CA to the NSS databases:
- /etc/dirsrv/slapd-xxx
- /etc/ipa/nssdb
- /etc/pki/pki-tomcat/alias (if you have configured an embedded CA)
- /etc/httpd/alias (if IPA version < 4.7)

and to the PEM files /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.

ipa-certupdate needs the services to be up and running, what is the output of "ipactl status" on your server?


On Sun, Oct 17, 2021 at 1:21 AM cicek adam via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hi, I’ve been suffocating the same problem. I applied ipa-server-certinstall without adding ca first.
I applied your steps and added my ca.crt to /etc/ipa/ca.crt and /etc/ipa/nssdb with certutil, after than I run ipa-certupdate and it still fails.

[root@xxx ~]# certutil -d sql:/etc/ipa/nssdb/ -L

Certificate Nickname                                         Trust Attributes

Xxx IPA CA                                                 CT,C,C
globalsign                                                   CT,C,C

After this I ran ipa-certupdate and it says

cannot connect to 'any of the configured servers’: …. (List of my ipaservers goes here)
The ipa-certupdate command failed.

Should I do this process for all servers, or I am missing something? Related to this problem I am having login failure at the web ui. Would it work if I created a new db and added my GlobalSign ca there? Do I need the self signed ipa ca?

PS: I'm running freeipa on rhel8

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure