Robson Francisco de Souza via FreeIPA-users wrote:
Hi Timo,
Thanks for your reply.
I have searched the web a lot and attempt several solutions but all fail because certmonger cannot talk to the FreeIPA web interface. A few words on my setup:
- I have two FreeIPA servers (4.3.1-0ubuntu1), one is the original
masterĀ and the other is a replica, but both are ca and renew masters
- Everything was installed using apt-get on Ubuntu 16.04 and I've always
updated regularly
- FreeIPA was installed with DNS for our intranet and configured to talk
to intranet IPs only, thus ignoring the WAN interface
- None of my certificates is expired and all NSS databases and PEM files
match the corresponding LDAP entries
My objective, as I said, is to make sure certificates are renewed before expiring. My problem is that certmonger shows:
ca-error: Error 60 connecting to https://<snip>:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
Talking to dogtag requires a client certificate. This client certificate is loaded via libnsspem.
Changing to error 60 is probably a good sign.
I don't know what NSS database is used by certmonger in Ubuntu so I can't recommend where to check for missing CA certificate/trust.
In upstream IPA this is in /etc/ipa/nssdb.
Another suggestion would be to look in /etc/pki/nssdb.
rob