[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer john.moyer at digitalreasoning.com
Mon Jun 10 20:32:00 UTC 2013 

Rob, 

	Do you mean doing this?  If not let me know. 

[root at pki]# ls -la
total 32
drwxr-xr-x  8 root root 4096 Jun 10 20:23 .
drwxr-xr-x 90 root root 4096 Jun 10 18:05 ..
drwxr-xr-x  6 root root 4096 Mar  4 22:22 CA
drwxr-xr-x  2 root root 4096 Jul 11  2012 java
lrwxrwxrwx  1 root root   24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so
drwxr-xr-x  2 root root 4096 Jun 10 18:05 nssdb.orig
drwxr-xr-x  2 root root 4096 Mar 21 15:19 rpm-gpg
drwx------  2 root root 4096 Feb 22 05:07 rsyslog
drwxr-xr-x  5 root root 4096 Mar 21 15:18 tls

After I did that I tried to enroll this system and got the same error.

The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the server which is the CA Cert gotten from godaddy.   You also had me change this into a der version of the Cert (using openssl) and jam that into the Directory server.


Thanks, 
_____________________________________________________
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
John.Moyer at digitalreasoning.com
Office:	703.678.2311
Mobile:	240.460.0023
Fax:		703.678.2312
www.digitalreasoning.com

On Jun 10, 2013, at 4:19 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> John Moyer wrote:
>> Rob,
>> 
>> 	I think you had me look at that already.   This is the output from certutil on that:
>> 
>> [root@ ~]# certutil -d /etc/httpd/alias -L
>> 
>> Certificate Nickname                                         Trust Attributes
>>                                                              SSL,S/MIME,JAR/XPI
>> 
>> MyIPA                                                        u,u,u
>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,
> 
> What certificate does the client have in /etc/ipa/ca.crt? Is it either one of these?
> 
> Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to enrollment?
> 
> rob
> 
>> 
>> 
>> 
>> Dmitri,
>> 
>> 	This is the same issue I've been having for a while, other things were wrong before all of them stemmed from putting in the Godaddy signed cert.
>> 
>> Thanks,
>> _____________________________________________________
>> John Moyer
>> Director, IT Operations
>> 
>> On Jun 10, 2013, at 2:30 PM, Dmitri Pal <dpal at redhat.com> wrote:
>> 
>>> On 06/10/2013 02:17 PM, John Moyer wrote:
>>>> I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log.
>>>> 
>>>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate
>>> 
>>> Is this the same issue we are discussing on the devel list?
>>> The intermediate CA case?
>>> 
>>>> 
>>>> 
>>>> Thanks,
>>>> _____________________________________________________
>>>> John Moyer
>>>> Director, IT Operations
>>>> On Jun 10, 2013, at 9:52 AM, John Moyer <john.moyer at digitalreasoning.com> wrote:
>>>> 
>>>>> Rob,
>>>>> 
>>>>> 	Sorry for the late response I tried the following
>>>>> 
>>>>> [root at etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>>>> [root at etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>>>>> [root at etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>>>>> certutil: certificate is valid
>>>>> 
>>>>> After this I tried to add a machine and got the same error:
>>>>> 
>>>>> [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>> Hostname: server.example.com
>>>>> Realm: EXAMPLE.COM
>>>>> DNS Domain: example.com
>>>>> IPA Server: server.example.com
>>>>> BaseDN: dc=example,dc=com
>>>>> 
>>>>> Synchronizing time with KDC...
>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates
>>>>> 
>>>>> Installation failed. Rolling back changes.
>>>>> IPA client is not configured on this system.
>>>>> 
>>>>> Any additional suggestions?
>>>>> 
>>>>> 
>>>>> Thanks,
>>>>> _____________________________________________________
>>>>> John Moyer
>>>>> Director, IT Operations
>>>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>>>> 
>>>>>> John Moyer wrote:
>>>>>>> Rob,
>>>>>>> 
>>>>>>> 	MyIPA I believe was installed by IPA.  I did everything you suggested, the below is what it looks like now.
>>>>>>> 
>>>>>>> 
>>>>>>> --------
>>>>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>>>> 
>>>>>>> Certificate Nickname                                         Trust Attributes
>>>>>>>                                                            SSL,S/MIME,JAR/XPI
>>>>>>> 
>>>>>>> MyIPA                                                        u,u,u
>>>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,
>>>>>>> 
>>>>>>> ----------
>>>>>>> 
>>>>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>>>> 
>>>>>>> /etc/init.d/dirsrv restart
>>>>>>> Shutting down dirsrv:
>>>>>>>   EXAMPLE-COM...                                [  OK  ]
>>>>>>>   PKI-IPA...                                             [  OK  ]
>>>>>>> Starting dirsrv:
>>>>>>>   EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>>>>>>                                                          [  OK  ]
>>>>>>>   PKI-IPA...                                             [  OK  ]
>>>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
>>>>>> 
>>>>>>> I'm also getting the following when I  try to add a server to IPA:
>>>>>>> 
>>>>>>> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>>>>> Realm: EXAMPLE.COM
>>>>>>> DNS Domain: example.com
>>>>>>> IPA Server: server.example.com
>>>>>>> BaseDN: dc=example,dc=com
>>>>>>> 
>>>>>>> Synchronizing time with KDC...
>>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates
>>>>>>> 
>>>>>>> Installation failed. Rolling back changes.
>>>>>>> IPA client is not configured on this system.
>>>>>> The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP.
>>>>>> 
>>>>>> rob
>>>>>> 
>>>> 
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> 
>>> 
>>> --
>>> Thank you,
>>> Dmitri Pal
>>> 
>>> Sr. Engineering Manager for IdM portfolio
>>> Red Hat Inc.
>>> 
>>> 
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
>

More information about the Freeipa-users mailing list