IPA pki-tomcatd cannot start - Peer's certificate issuer has been marked as not trusted by the user

Solution Verified - Updated -

Issue

  • IPA server pki-tomcatd cannot start:
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
  • This error is observed in /var/log/pki/pki-tomcat/ca/debug:
Internal Database Error encountered: Could not connect to LDAP server host ipaserver.example.com port 636 Error netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been marked as not trusted by the user. (-1)

Environment

  • Red Hat Enterprise Linux 7
  • IPA server with integrated CA

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content