Hi, I’ve been suffocating the same problem. I applied ipa-server-certinstall without
adding ca first.
I applied your steps and added my ca.crt to /etc/ipa/ca.crt and /etc/ipa/nssdb with
certutil, after than I run ipa-certupdate and it still fails.
[root@xxx ~]# certutil -d sql:/etc/ipa/nssdb/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Xxx IPA CA CT,C,C
globalsign CT,C,C
After this I ran ipa-certupdate and it says
cannot connect to 'any of the configured servers’: …. (List of my ipaservers goes
here)
The ipa-certupdate command failed.
Should I do this process for all servers, or I am missing something? Related to this
problem I am having login failure at the web ui. Would it work if I created a new db and
added my GlobalSign ca there? Do I need the self signed ipa ca?
PS: I'm running freeipa on rhel8
Thanks.