IPA pki-tomcatd cannot start - Peer's certificate issuer has been marked as not trusted by the user
Issue
- IPA server pki-tomcatd cannot start:
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
- This error is observed in
/var/log/pki/pki-tomcat/ca/debug
:
Internal Database Error encountered: Could not connect to LDAP server host ipaserver.example.com port 636 Error netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been marked as not trusted by the user. (-1)
Environment
- Red Hat Enterprise Linux 7
- IPA server with integrated CA
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.