[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Rob Crittenden
rcritten at redhat.com
Mon Jun 10 20:19:18 UTC 2013
John Moyer wrote:
> Rob,
>
> I think you had me look at that already. This is the output from certutil on that:
>
> [root@ ~]# certutil -d /etc/httpd/alias -L
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> MyIPA u,u,u
> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
What certificate does the client have in /etc/ipa/ca.crt? Is it either
one of these?
Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior
to enrollment?
rob
>
>
>
> Dmitri,
>
> This is the same issue I've been having for a while, other things were wrong before all of them stemmed from putting in the Godaddy signed cert.
>
> Thanks,
> _____________________________________________________
> John Moyer
> Director, IT Operations
>
> On Jun 10, 2013, at 2:30 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 06/10/2013 02:17 PM, John Moyer wrote:
>>> I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log.
>>>
>>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate
>>
>> Is this the same issue we are discussing on the devel list?
>> The intermediate CA case?
>>
>>>
>>>
>>> Thanks,
>>> _____________________________________________________
>>> John Moyer
>>> Director, IT Operations
>>> On Jun 10, 2013, at 9:52 AM, John Moyer <john.moyer at digitalreasoning.com> wrote:
>>>
>>>> Rob,
>>>>
>>>> Sorry for the late response I tried the following
>>>>
>>>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>>>> [root at etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>>>> certutil: certificate is valid
>>>>
>>>> After this I tried to add a machine and got the same error:
>>>>
>>>> [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>> Hostname: server.example.com
>>>> Realm: EXAMPLE.COM
>>>> DNS Domain: example.com
>>>> IPA Server: server.example.com
>>>> BaseDN: dc=example,dc=com
>>>>
>>>> Synchronizing time with KDC...
>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>>>
>>>> Installation failed. Rolling back changes.
>>>> IPA client is not configured on this system.
>>>>
>>>> Any additional suggestions?
>>>>
>>>>
>>>> Thanks,
>>>> _____________________________________________________
>>>> John Moyer
>>>> Director, IT Operations
>>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>>>
>>>>> John Moyer wrote:
>>>>>> Rob,
>>>>>>
>>>>>> MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now.
>>>>>>
>>>>>>
>>>>>> --------
>>>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>>>
>>>>>> Certificate Nickname Trust Attributes
>>>>>> SSL,S/MIME,JAR/XPI
>>>>>>
>>>>>> MyIPA u,u,u
>>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>>>>>>
>>>>>> ----------
>>>>>>
>>>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>>>
>>>>>> /etc/init.d/dirsrv restart
>>>>>> Shutting down dirsrv:
>>>>>> EXAMPLE-COM... [ OK ]
>>>>>> PKI-IPA... [ OK ]
>>>>>> Starting dirsrv:
>>>>>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>>>>> [ OK ]
>>>>>> PKI-IPA... [ OK ]
>>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
>>>>>
>>>>>> I'm also getting the following when I try to add a server to IPA:
>>>>>>
>>>>>> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>>>> Realm: EXAMPLE.COM
>>>>>> DNS Domain: example.com
>>>>>> IPA Server: server.example.com
>>>>>> BaseDN: dc=example,dc=com
>>>>>>
>>>>>> Synchronizing time with KDC...
>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>>>>>
>>>>>> Installation failed. Rolling back changes.
>>>>>> IPA client is not configured on this system.
>>>>> The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP.
>>>>>
>>>>> rob
>>>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list