On 07/12/2017 08:34 PM, Fraser Tweedale wrote:
Which version(s) of FreeIPA?
ipa-server-4.4.0-14.el7.centos.7.x86_64
Which service(s) (HTTP, LDAP?).
HTTPS. I haven't checked LDAPS yet. It
appears this is only related to
HTTPS. To give a bit of backstory, the primary host [ipa0] was
installed and configured a couple of months before I came on board here
(which was in early April). One of my first tasks was to build a replica
of ipa0 (wackily named ipa1) for redundancy.
What client program(s) were used to contact the servers? (The same
client, or different?) Has the IPA CA cert been properly installed
for the relevant clients / client systems?
I've not even tried to connect
clients yet, this is solely related to
the web browser complaining about the connection to the admin panel
being insecure on ipa1, but not ipa0. ipa0 has a valid not self-signed
wildcard cert on it. SO, either the process I used to build the replica
and get it synced was incorrect, or the process doesn't include valid
non-self-signed HTTPS certs. That's where I'm at now.
Can you show us the good / bad certs?
{{There are a lot of things to check when diagnosing PKI problems!}}
Thanks,
Fraser
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net