[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Dmitri Pal dpal at redhat.com
Mon Jun 10 18:30:18 UTC 2013 

On 06/10/2013 02:17 PM, John Moyer wrote:
> I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log.
>
> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate

Is this the same issue we are discussing on the devel list?
The intermediate CA case?

>
>
> Thanks, 
> _____________________________________________________
> John Moyer
> Director, IT Operations
> On Jun 10, 2013, at 9:52 AM, John Moyer <john.moyer at digitalreasoning.com> wrote:
>
>> Rob, 
>>
>> 	Sorry for the late response I tried the following
>>
>> [root at etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>> [root at etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>> [root at etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>> certutil: certificate is valid
>>
>> After this I tried to add a machine and got the same error: 
>>
>> [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>> Hostname: server.example.com
>> Realm: EXAMPLE.COM
>> DNS Domain: example.com
>> IPA Server: server.example.com
>> BaseDN: dc=example,dc=com
>>
>> Synchronizing time with KDC...
>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates
>>
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>> Any additional suggestions?
>>
>>
>> Thanks, 
>> _____________________________________________________
>> John Moyer
>> Director, IT Operations
>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>> John Moyer wrote:
>>>> Rob,
>>>>
>>>> 	MyIPA I believe was installed by IPA.  I did everything you suggested, the below is what it looks like now.
>>>>
>>>>
>>>> --------
>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>
>>>> Certificate Nickname                                         Trust Attributes
>>>>                                                             SSL,S/MIME,JAR/XPI
>>>>
>>>> MyIPA                                                        u,u,u
>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,
>>>>
>>>> ----------
>>>>
>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>
>>>> /etc/init.d/dirsrv restart
>>>> Shutting down dirsrv:
>>>>    EXAMPLE-COM...                                [  OK  ]
>>>>    PKI-IPA...                                             [  OK  ]
>>>> Starting dirsrv:
>>>>    EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>>>                                                           [  OK  ]
>>>>    PKI-IPA...                                             [  OK  ]
>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
>>>
>>>> I'm also getting the following when I  try to add a server to IPA:
>>>>
>>>> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>> Realm: EXAMPLE.COM
>>>> DNS Domain: example.com
>>>> IPA Server: server.example.com
>>>> BaseDN: dc=example,dc=com
>>>>
>>>> Synchronizing time with KDC...
>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates
>>>>
>>>> Installation failed. Rolling back changes.
>>>> IPA client is not configured on this system.
>>> The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP.
>>>
>>> rob
>>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list