[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
John Moyer
john.moyer at digitalreasoning.com
Mon Jun 10 20:32:00 UTC 2013
Rob,
Do you mean doing this? If not let me know.
[root at pki]# ls -la
total 32
drwxr-xr-x 8 root root 4096 Jun 10 20:23 .
drwxr-xr-x 90 root root 4096 Jun 10 18:05 ..
drwxr-xr-x 6 root root 4096 Mar 4 22:22 CA
drwxr-xr-x 2 root root 4096 Jul 11 2012 java
lrwxrwxrwx 1 root root 24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so
drwxr-xr-x 2 root root 4096 Jun 10 18:05 nssdb.orig
drwxr-xr-x 2 root root 4096 Mar 21 15:19 rpm-gpg
drwx------ 2 root root 4096 Feb 22 05:07 rsyslog
drwxr-xr-x 5 root root 4096 Mar 21 15:18 tls
After I did that I tried to enroll this system and got the same error.
The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the server which is the CA Cert gotten from godaddy. You also had me change this into a der version of the Cert (using openssl) and jam that into the Directory server.
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
John.Moyer at digitalreasoning.com
Office: 703.678.2311
Mobile: 240.460.0023
Fax: 703.678.2312
www.digitalreasoning.com
On Jun 10, 2013, at 4:19 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> John Moyer wrote:
>> Rob,
>>
>> I think you had me look at that already. This is the output from certutil on that:
>>
>> [root@ ~]# certutil -d /etc/httpd/alias -L
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> MyIPA u,u,u
>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>
> What certificate does the client have in /etc/ipa/ca.crt? Is it either one of these?
>
> Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to enrollment?
>
> rob
>
>>
>>
>>
>> Dmitri,
>>
>> This is the same issue I've been having for a while, other things were wrong before all of them stemmed from putting in the Godaddy signed cert.
>>
>> Thanks,
>> _____________________________________________________
>> John Moyer
>> Director, IT Operations
>>
>> On Jun 10, 2013, at 2:30 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>
>>> On 06/10/2013 02:17 PM, John Moyer wrote:
>>>> I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log.
>>>>
>>>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate
>>>
>>> Is this the same issue we are discussing on the devel list?
>>> The intermediate CA case?
>>>
>>>>
>>>>
>>>> Thanks,
>>>> _____________________________________________________
>>>> John Moyer
>>>> Director, IT Operations
>>>> On Jun 10, 2013, at 9:52 AM, John Moyer <john.moyer at digitalreasoning.com> wrote:
>>>>
>>>>> Rob,
>>>>>
>>>>> Sorry for the late response I tried the following
>>>>>
>>>>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>>>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>>>>> [root at etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>>>>> certutil: certificate is valid
>>>>>
>>>>> After this I tried to add a machine and got the same error:
>>>>>
>>>>> [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>> Hostname: server.example.com
>>>>> Realm: EXAMPLE.COM
>>>>> DNS Domain: example.com
>>>>> IPA Server: server.example.com
>>>>> BaseDN: dc=example,dc=com
>>>>>
>>>>> Synchronizing time with KDC...
>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>>>>
>>>>> Installation failed. Rolling back changes.
>>>>> IPA client is not configured on this system.
>>>>>
>>>>> Any additional suggestions?
>>>>>
>>>>>
>>>>> Thanks,
>>>>> _____________________________________________________
>>>>> John Moyer
>>>>> Director, IT Operations
>>>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>>>>
>>>>>> John Moyer wrote:
>>>>>>> Rob,
>>>>>>>
>>>>>>> MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now.
>>>>>>>
>>>>>>>
>>>>>>> --------
>>>>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>>>>
>>>>>>> Certificate Nickname Trust Attributes
>>>>>>> SSL,S/MIME,JAR/XPI
>>>>>>>
>>>>>>> MyIPA u,u,u
>>>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>>>>>>>
>>>>>>> ----------
>>>>>>>
>>>>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>>>>
>>>>>>> /etc/init.d/dirsrv restart
>>>>>>> Shutting down dirsrv:
>>>>>>> EXAMPLE-COM... [ OK ]
>>>>>>> PKI-IPA... [ OK ]
>>>>>>> Starting dirsrv:
>>>>>>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>>>>>> [ OK ]
>>>>>>> PKI-IPA... [ OK ]
>>>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
>>>>>>
>>>>>>> I'm also getting the following when I try to add a server to IPA:
>>>>>>>
>>>>>>> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>>>>> Realm: EXAMPLE.COM
>>>>>>> DNS Domain: example.com
>>>>>>> IPA Server: server.example.com
>>>>>>> BaseDN: dc=example,dc=com
>>>>>>>
>>>>>>> Synchronizing time with KDC...
>>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>>>>>>
>>>>>>> Installation failed. Rolling back changes.
>>>>>>> IPA client is not configured on this system.
>>>>>> The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP.
>>>>>>
>>>>>> rob
>>>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio
>>> Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
More information about the Freeipa-users
mailing list