<div dir="ltr">On 7 May 2013 16:50, Martin Kosek <span dir="ltr"><<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 05/07/2013 04:51 AM, Peter Brown wrote:<br>
> On 6 May 2013 17:07, Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a><br>
</div><div class="im">> <mailto:<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>> wrote:<br>
><br>
> I am glad you made it working. Just for the record, CRL and OCSP revocation<br>
> URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that<br>
> will make it working again.<br>
><br>
><br>
> Thanks for the heads up Martin.<br>
> I will likely upgrade to 3.2 once Fedora 19 is released.<br>
><br>
> I am going to assume my 3.1 clients will be compatible?<br>
<br>
</div>Yes, this is a correct assumption. BTW we are just in a process of testing and<br>
releasing FreeIPA 3.1.4 bugfixing release for Fedora 18 which will also contain<br>
the CRL/OCSP URI fixes (will happen this week). Any help with testing 3.1.4<br>
when it is released is appreciated.<br></blockquote><div><br></div><div>Awesome.<br></div><div>I shall install them and let you know how I go.<br><br> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Martin<br>
<div class="im"><br>
><br>
><br>
><br>
> More information can be found out in FreeIPA.org wiki:<br>
> <a href="http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs" target="_blank">http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs</a><br>
><br>
> Relevant upstream ticket:<br>
> <a href="https://fedorahosted.org/freeipa/ticket/3552" target="_blank">https://fedorahosted.org/freeipa/ticket/3552</a><br>
><br>
> Martin<br>
><br>
> On 04/29/2013 06:59 AM, Peter Brown wrote:<br>
> > I finally got this to work.<br>
> ><br>
> > I managed to get an error message that told me it couldn't check the<br>
> revocation<br>
> > of the certificates against a crl.<br>
> > I tried to find out how to tell java where to find that crl but I these<br>
> > discovered these options instead to tell java to not check a crl.<br>
> > -Dcom.sun.net.ssl.checkRevocation=false<br>
> > -Dcom.sun.security.enableCRLDP=false<br>
> ><br>
> ><br>
> > On 26 April 2013 18:30, Petr Viktorin <<a href="mailto:pviktori@redhat.com">pviktori@redhat.com</a><br>
> <mailto:<a href="mailto:pviktori@redhat.com">pviktori@redhat.com</a>><br>
</div><div><div class="h5">> > <mailto:<a href="mailto:pviktori@redhat.com">pviktori@redhat.com</a> <mailto:<a href="mailto:pviktori@redhat.com">pviktori@redhat.com</a>>>> wrote:<br>
> ><br>
> > Hello,<br>
> ><br>
> ><br>
> > On 04/26/2013 07:22 AM, Peter Brown wrote:<br>
> ><br>
> > Hi everyone.<br>
> ><br>
> > I am attempting to get Google Apps to sync with FreeIPA and I am<br>
> having<br>
> > problems getting the sync utility to talk to freeipa.<br>
> > It complains about the ssl cert.<br>
> > I have it setup so it only accepts ssl or tls encrypted<br>
> connections and<br>
> > I don't want to turn that off.<br>
> > I have imported the ca cert using the jre's keytool but it still<br>
> refuses<br>
> > to connect.<br>
> > I am getting the impression I need to import the ssl cert for the<br>
> ldap<br>
> > server into it as well.<br>
> ><br>
> ><br>
> > The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other<br>
> > certs. Make sure you import it with the right trust level (SSL<br>
> certificate<br>
> > signing). Unfortunately I don't know about jre's keytool so I can't<br>
> be more<br>
> > specific.<br>
> ><br>
> ><br>
> ><br>
> > I have no idea which certificate that is and I have no idea how to<br>
> > export it.<br>
> ><br>
> ><br>
> > Do not do this. You should only explicitly trust the CA cert.<br>
> > For example, if you trust the certs explicitly you'd have to<br>
> re-import them<br>
> > one by one when they are renewed.<br>
> ><br>
> ><br>
> > Can someone please tell me how to do this?<br>
> ><br>
> ><br>
> > If you really want to:<br>
> > There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), and one<br>
> > for the LDAP server.<br>
> > To export the httpd server certificate (to PEM):<br>
> > $ certutil -L -d /etc/httpd/alias -n Server-Cert -a<br>
> > To export the directory server certificate (to PEM):<br>
> > $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a<br>
> > But again, you don't need this for what you're trying to do.<br>
> ><br>
> > --<br>
> > Petrł<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Freeipa-users mailing list<br>
</div></div>> > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>
> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> ><br>
><br>
><br>
<br>
</blockquote></div><br></div></div>