[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Rob Crittenden
rcritten at redhat.com
Mon Jun 10 18:58:02 UTC 2013
John Moyer wrote:
> I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log.
>
> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate
Apache has its own certificate database in /etc/httpd/alias. Perhaps try
the same commands against it.
rob
>
>
> Thanks,
> _____________________________________________________
> John Moyer
> Director, IT Operations
> On Jun 10, 2013, at 9:52 AM, John Moyer <john.moyer at digitalreasoning.com> wrote:
>
>> Rob,
>>
>> Sorry for the late response I tried the following
>>
>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>> [root at etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>> certutil: certificate is valid
>>
>> After this I tried to add a machine and got the same error:
>>
>> [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>> Hostname: server.example.com
>> Realm: EXAMPLE.COM
>> DNS Domain: example.com
>> IPA Server: server.example.com
>> BaseDN: dc=example,dc=com
>>
>> Synchronizing time with KDC...
>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>> Any additional suggestions?
>>
>>
>> Thanks,
>> _____________________________________________________
>> John Moyer
>> Director, IT Operations
>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>> John Moyer wrote:
>>>> Rob,
>>>>
>>>> MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now.
>>>>
>>>>
>>>> --------
>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>
>>>> Certificate Nickname Trust Attributes
>>>> SSL,S/MIME,JAR/XPI
>>>>
>>>> MyIPA u,u,u
>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>>>>
>>>> ----------
>>>>
>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>
>>>> /etc/init.d/dirsrv restart
>>>> Shutting down dirsrv:
>>>> EXAMPLE-COM... [ OK ]
>>>> PKI-IPA... [ OK ]
>>>> Starting dirsrv:
>>>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>>> [ OK ]
>>>> PKI-IPA... [ OK ]
>>>
>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
>>>
>>>>
>>>> I'm also getting the following when I try to add a server to IPA:
>>>>
>>>> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>> Realm: EXAMPLE.COM
>>>> DNS Domain: example.com
>>>> IPA Server: server.example.com
>>>> BaseDN: dc=example,dc=com
>>>>
>>>> Synchronizing time with KDC...
>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>>>
>>>> Installation failed. Rolling back changes.
>>>> IPA client is not configured on this system.
>>>
>>> The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP.
>>>
>>> rob
>>>
>>
>
More information about the Freeipa-users
mailing list