[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer john.moyer at digitalreasoning.com
Mon Jun 10 13:52:35 UTC 2013 

Rob, 

	Sorry for the late response I tried the following

[root at etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,,
[root at etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
[root at etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
certutil: certificate is valid
 
After this I tried to add a machine and got the same error: 

[root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Any additional suggestions?


Thanks, 
_____________________________________________________
John Moyer
Director, IT Operations
On May 29, 2013, at 2:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> John Moyer wrote:
>> Rob,
>> 
>> 	MyIPA I believe was installed by IPA.  I did everything you suggested, the below is what it looks like now.
>> 
>> 
>> --------
>> certutil -d /etc/httpd/alias -L -h internal
>> 
>> Certificate Nickname                                         Trust Attributes
>>                                                              SSL,S/MIME,JAR/XPI
>> 
>> MyIPA                                                        u,u,u
>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,
>> 
>> ----------
>> 
>> I'm still getting the following when I try to restart the dirsrv:
>> 
>> /etc/init.d/dirsrv restart
>> Shutting down dirsrv:
>>     EXAMPLE-COM...                                [  OK  ]
>>     PKI-IPA...                                             [  OK  ]
>> Starting dirsrv:
>>     EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>                                                            [  OK  ]
>>     PKI-IPA...                                             [  OK  ]
> 
> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
> 
>> 
>> I'm also getting the following when I  try to add a server to IPA:
>> 
>> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>> Hostname: ip-10-133-38-119.ec2.internal
>> Realm: EXAMPLE.COM
>> DNS Domain: example.com
>> IPA Server: server.example.com
>> BaseDN: dc=example,dc=com
>> 
>> Synchronizing time with KDC...
>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates
>> 
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
> 
> The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP.
> 
> rob
>

More information about the Freeipa-users mailing list