Thanks guys. I will try and have a go tomorrow and let you know how it goes. Regards Tim <div class="gmail_quote">On 6 Nov 2012 18:20, "Dmitri Pal" <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 11/06/2012 11:58 AM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 11/06/2012 08:07 AM, Rob Crittenden wrote: >>> Tim Hughes wrote: >>>> >>>> I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to >>>> ipa-server-2.2.0-16.el6.x86_64 with the following command >>>> >>>> >>>> ipa migrate-ds ldaps://fedora-ds-server.internal --continue >>>> --with-compat --base-dn=dc=custsvc,dc=mycompany >>>> --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany >>>> --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany >>>> >>>> >>>> I get the following response. >>>> >>>> >>>> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >>>> ipa: DEBUG: cert valid True for >>>> "CN=ipa-server.internal,O=CO.MYCOMPANY" >>>> ipa: DEBUG: handshake complete, peer = <a href="http://192.168.10.6:443" target="_blank">192.168.10.6:443</a> >>>> <<a href="http://192.168.10.6:443" target="_blank">http://192.168.10.6:443</a>> >>>> ipa: DEBUG: Caught fault 4203 from server >>>> <a href="http://ipa-server.internal/ipa/xml" target="_blank">http://ipa-server.internal/ipa/xml</a>: Can't contact LDAP server: TLS >>>> error >>>> -8172:Peer's certificate issuer has been marked as not trusted by the >>>> user. >>>> ipa: DEBUG: Destroyed connection context.xmlclient >>>> ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's >>>> certificate issuer has been marked as not trusted by the user. >>>> >>>> >>>> I am trying to work out which certificate is not trusted and how I >>>> should make it trusted. Any help would be appreciated. >>> >>> I suspect you're going to need to add the CA that issued your LDAP >>> server certificate to the IPA Apache NSS certificate database (where >>> our admin framework runs). >>> >>> You'd add it something like this: >>> >>> # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a < >>> /path/to/ca.crt >>> >>> The -n 'LDAP CA' adds a nickname to the CA. There is nothing special >>> about this, it just needs to be unique. Use something meaningful to >>> you. >>> >>> Then restart the httpd service and try the migration again. >>> >>> I don't know if we've tested using ldaps, so if my suggestion works >>> can you let us know? >> >> IMO the migrate-ds command should have additional argument to point to >> the cert file to use for connection. >> Then the framework should get the cert and import it into the store >> itself. >> >> Rob, do you agree that this would be a valid RFE? > > Yup, certainly something that would make things easier. > > rob > <a href="https://fedorahosted.org/freeipa/ticket/3243" target="_blank">https://fedorahosted.org/freeipa/ticket/3243</a> -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote></div>