[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
John Moyer
john.moyer at digitalreasoning.com
Mon Jun 10 19:36:59 UTC 2013
Rob,
I think you had me look at that already. This is the output from certutil on that:
[root@ ~]# certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
MyIPA u,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
Dmitri,
This is the same issue I've been having for a while, other things were wrong before all of them stemmed from putting in the Godaddy signed cert.
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On Jun 10, 2013, at 2:30 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 06/10/2013 02:17 PM, John Moyer wrote:
>> I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log.
>>
>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate
>
> Is this the same issue we are discussing on the devel list?
> The intermediate CA case?
>
>>
>>
>> Thanks,
>> _____________________________________________________
>> John Moyer
>> Director, IT Operations
>> On Jun 10, 2013, at 9:52 AM, John Moyer <john.moyer at digitalreasoning.com> wrote:
>>
>>> Rob,
>>>
>>> Sorry for the late response I tried the following
>>>
>>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>>> [root at etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>>> certutil: certificate is valid
>>>
>>> After this I tried to add a machine and got the same error:
>>>
>>> [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>> Hostname: server.example.com
>>> Realm: EXAMPLE.COM
>>> DNS Domain: example.com
>>> IPA Server: server.example.com
>>> BaseDN: dc=example,dc=com
>>>
>>> Synchronizing time with KDC...
>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>>
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>>
>>> Any additional suggestions?
>>>
>>>
>>> Thanks,
>>> _____________________________________________________
>>> John Moyer
>>> Director, IT Operations
>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>>
>>>> John Moyer wrote:
>>>>> Rob,
>>>>>
>>>>> MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now.
>>>>>
>>>>>
>>>>> --------
>>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>>
>>>>> Certificate Nickname Trust Attributes
>>>>> SSL,S/MIME,JAR/XPI
>>>>>
>>>>> MyIPA u,u,u
>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>>>>>
>>>>> ----------
>>>>>
>>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>>
>>>>> /etc/init.d/dirsrv restart
>>>>> Shutting down dirsrv:
>>>>> EXAMPLE-COM... [ OK ]
>>>>> PKI-IPA... [ OK ]
>>>>> Starting dirsrv:
>>>>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>>>> [ OK ]
>>>>> PKI-IPA... [ OK ]
>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
>>>>
>>>>> I'm also getting the following when I try to add a server to IPA:
>>>>>
>>>>> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>>> Realm: EXAMPLE.COM
>>>>> DNS Domain: example.com
>>>>> IPA Server: server.example.com
>>>>> BaseDN: dc=example,dc=com
>>>>>
>>>>> Synchronizing time with KDC...
>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>>>>
>>>>> Installation failed. Rolling back changes.
>>>>> IPA client is not configured on this system.
>>>> The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP.
>>>>
>>>> rob
>>>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list