Ricardo Mendes wrote:
Hi Rob once again many thanks for helping!
> My guess is that the LE CA certificates are not trusted by the NSS
> database that dogtag uses. Assuming you've added those CA certificates
> to IPA using ipa-cacert-manage install then running ipa-certupdate
> should fix things for you.
>
> rob
I think the LE CA certificates are added with certutil as per the script
I don't know if it runs ipa-cacert-manage install.
If you ran setup-le.sh then yes.
I had tried ipa-certupdate as I remember having read that running it
usually fixes a number of issues with the cert setup. It finishes
succesfully.
# ipa-certupdate
trying
https://main.domain.io/ipa/json
[try 1]: Forwarding 'schema' to json server
'https://main.domain.io/ipa/json'
trying
https://main.domain.io/ipa/session/json
[try 1]: Forwarding 'ca_is_enabled/1' to json server
'https://main.domain.io/ipa/session/json'
[try 1]: Forwarding 'ca_find/1' to json server
'https://main.domain.io/ipa/session/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
But the issue (now my issue is solely in starting pki-tomcatd. I can
connect to the GUI when I access via https I get the new cert, edit DNS
records (adding via web), authenticate to the web interface using
kerberos ticket. BUT the pki-tomcat keeps throwing errors and when I run
"ipactl restart" it fails unless I add the --ignore-service-failure
flag. (and --skip-version-check as well I still have that one stuck).
The certificates are at the $WORKDIR (ipa-le).
You'd need to look at the certs in the tomcat NSS database and/or look
at the 389-ds access log to see why the bind failed.
New issues: I can't use ldapsearch with 'cn=directory
manager' it fails
with "ldap_bind: Invalid credentials (49)" and other apps that use LDAP
with other sysaccount just to bind cannot bind as well. Don't think it
is related to pki-tomcat tho.
Neither would be affected by the certificates.
rob
Ricardo