<div dir="ltr">On 6 May 2013 17:07, Martin Kosek <span dir="ltr"><<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I am glad you made it working. Just for the record, CRL and OCSP revocation<br> URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that<br> will make it working again.<br></blockquote><div><br></div><div>Thanks for the heads up Martin.<br></div><div>I will likely upgrade to 3.2 once Fedora 19 is released.<br><br></div><div>I am going to assume my 3.1 clients will be compatible?<br> </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br> More information can be found out in FreeIPA.org wiki:<br> <a href="http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs" target="_blank">http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs</a><br> <br> Relevant upstream ticket:<br> <a href="https://fedorahosted.org/freeipa/ticket/3552" target="_blank">https://fedorahosted.org/freeipa/ticket/3552</a><br> <br> Martin<br> <div class="im"><br> On 04/29/2013 06:59 AM, Peter Brown wrote:<br> > I finally got this to work.<br> ><br> > I managed to get an error message that told me it couldn't check the revocation<br> > of the certificates against a crl.<br> > I tried to find out how to tell java where to find that crl but I these<br> > discovered these options instead to tell java to not check a crl.<br> > -Dcom.sun.net.ssl.checkRevocation=false<br> > -Dcom.sun.security.enableCRLDP=false<br> ><br> ><br> > On 26 April 2013 18:30, Petr Viktorin <<a href="mailto:pviktori@redhat.com">pviktori@redhat.com</a><br> </div><div><div class="h5">> <mailto:<a href="mailto:pviktori@redhat.com">pviktori@redhat.com</a>>> wrote:<br> ><br> > Hello,<br> ><br> ><br> > On 04/26/2013 07:22 AM, Peter Brown wrote:<br> ><br> > Hi everyone.<br> ><br> > I am attempting to get Google Apps to sync with FreeIPA and I am having<br> > problems getting the sync utility to talk to freeipa.<br> > It complains about the ssl cert.<br> > I have it setup so it only accepts ssl or tls encrypted connections and<br> > I don't want to turn that off.<br> > I have imported the ca cert using the jre's keytool but it still refuses<br> > to connect.<br> > I am getting the impression I need to import the ssl cert for the ldap<br> > server into it as well.<br> ><br> ><br> > The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other<br> > certs. Make sure you import it with the right trust level (SSL certificate<br> > signing). Unfortunately I don't know about jre's keytool so I can't be more<br> > specific.<br> ><br> ><br> ><br> > I have no idea which certificate that is and I have no idea how to<br> > export it.<br> ><br> ><br> > Do not do this. You should only explicitly trust the CA cert.<br> > For example, if you trust the certs explicitly you'd have to re-import them<br> > one by one when they are renewed.<br> ><br> ><br> > Can someone please tell me how to do this?<br> ><br> ><br> > If you really want to:<br> > There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), and one<br> > for the LDAP server.<br> > To export the httpd server certificate (to PEM):<br> > $ certutil -L -d /etc/httpd/alias -n Server-Cert -a<br> > To export the directory server certificate (to PEM):<br> </div></div>> $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a<br> <div class="im">> But again, you don't need this for what you're trying to do.<br> ><br> > --<br> > Petrł<br> ><br> ><br> ><br> ><br> </div>> _______________________________________________<br> > Freeipa-users mailing list<br> > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> ><br> <br> </blockquote></div><br></div></div>