[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer john.moyer at digitalreasoning.com
Mon Jun 10 19:36:59 UTC 2013 

Rob, 

	I think you had me look at that already.   This is the output from certutil on that: 

[root@ ~]# certutil -d /etc/httpd/alias -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

MyIPA                                                        u,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,



Dmitri, 

	This is the same issue I've been having for a while, other things were wrong before all of them stemmed from putting in the Godaddy signed cert. 

Thanks, 
_____________________________________________________
John Moyer
Director, IT Operations

On Jun 10, 2013, at 2:30 PM, Dmitri Pal <dpal at redhat.com> wrote:

> On 06/10/2013 02:17 PM, John Moyer wrote:
>> I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log.
>> 
>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate
> 
> Is this the same issue we are discussing on the devel list?
> The intermediate CA case?
> 
>> 
>> 
>> Thanks, 
>> _____________________________________________________
>> John Moyer
>> Director, IT Operations
>> On Jun 10, 2013, at 9:52 AM, John Moyer <john.moyer at digitalreasoning.com> wrote:
>> 
>>> Rob, 
>>> 
>>> 	Sorry for the late response I tried the following
>>> 
>>> [root at etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>> [root at etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>>> [root at etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>>> certutil: certificate is valid
>>> 
>>> After this I tried to add a machine and got the same error: 
>>> 
>>> [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>> Hostname: server.example.com
>>> Realm: EXAMPLE.COM
>>> DNS Domain: example.com
>>> IPA Server: server.example.com
>>> BaseDN: dc=example,dc=com
>>> 
>>> Synchronizing time with KDC...
>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates
>>> 
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>> 
>>> Any additional suggestions?
>>> 
>>> 
>>> Thanks, 
>>> _____________________________________________________
>>> John Moyer
>>> Director, IT Operations
>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>> 
>>>> John Moyer wrote:
>>>>> Rob,
>>>>> 
>>>>> 	MyIPA I believe was installed by IPA.  I did everything you suggested, the below is what it looks like now.
>>>>> 
>>>>> 
>>>>> --------
>>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>> 
>>>>> Certificate Nickname                                         Trust Attributes
>>>>>                                                            SSL,S/MIME,JAR/XPI
>>>>> 
>>>>> MyIPA                                                        u,u,u
>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,
>>>>> 
>>>>> ----------
>>>>> 
>>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>> 
>>>>> /etc/init.d/dirsrv restart
>>>>> Shutting down dirsrv:
>>>>>   EXAMPLE-COM...                                [  OK  ]
>>>>>   PKI-IPA...                                             [  OK  ]
>>>>> Starting dirsrv:
>>>>>   EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>>>>                                                          [  OK  ]
>>>>>   PKI-IPA...                                             [  OK  ]
>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
>>>> 
>>>>> I'm also getting the following when I  try to add a server to IPA:
>>>>> 
>>>>> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>>> Realm: EXAMPLE.COM
>>>>> DNS Domain: example.com
>>>>> IPA Server: server.example.com
>>>>> BaseDN: dc=example,dc=com
>>>>> 
>>>>> Synchronizing time with KDC...
>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates
>>>>> 
>>>>> Installation failed. Rolling back changes.
>>>>> IPA client is not configured on this system.
>>>> The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP.
>>>> 
>>>> rob
>>>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list