[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Rob Crittenden
rcritten at redhat.com
Mon Jun 10 20:42:29 UTC 2013
John Moyer wrote:
> Rob,
>
> Do you mean doing this? If not let me know.
>
> [root at pki]# ls -la
> total 32
> drwxr-xr-x 8 root root 4096 Jun 10 20:23 .
> drwxr-xr-x 90 root root 4096 Jun 10 18:05 ..
> drwxr-xr-x 6 root root 4096 Mar 4 22:22 CA
> drwxr-xr-x 2 root root 4096 Jul 11 2012 java
> lrwxrwxrwx 1 root root 24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so
> drwxr-xr-x 2 root root 4096 Jun 10 18:05 nssdb.orig
> drwxr-xr-x 2 root root 4096 Mar 21 15:19 rpm-gpg
> drwx------ 2 root root 4096 Feb 22 05:07 rsyslog
> drwxr-xr-x 5 root root 4096 Mar 21 15:18 tls
No, you need to link the shared library into the nssdb directory. nssdb
should contain 3 db files, cert8, key3 and secmod. This is the common
NSS db that the client uses.
> After I did that I tried to enroll this system and got the same error.
>
> The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the server which is the CA Cert gotten from godaddy. You also had me change this into a der version of the Cert (using openssl) and jam that into the Directory server.
Right but which one, there are two.
rob
>
>
> Thanks,
> _____________________________________________________
> John Moyer
> Director, IT Operations
> Digital Reasoning Systems, Inc.
> John.Moyer at digitalreasoning.com
> Office: 703.678.2311
> Mobile: 240.460.0023
> Fax: 703.678.2312
> www.digitalreasoning.com
>
> On Jun 10, 2013, at 4:19 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
>> John Moyer wrote:
>>> Rob,
>>>
>>> I think you had me look at that already. This is the output from certutil on that:
>>>
>>> [root@ ~]# certutil -d /etc/httpd/alias -L
>>>
>>> Certificate Nickname Trust Attributes
>>> SSL,S/MIME,JAR/XPI
>>>
>>> MyIPA u,u,u
>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>>
>> What certificate does the client have in /etc/ipa/ca.crt? Is it either one of these?
>>
>> Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to enrollment?
>>
>> rob
>>
>>>
>>>
>>>
>>> Dmitri,
>>>
>>> This is the same issue I've been having for a while, other things were wrong before all of them stemmed from putting in the Godaddy signed cert.
>>>
>>> Thanks,
>>> _____________________________________________________
>>> John Moyer
>>> Director, IT Operations
>>>
>>> On Jun 10, 2013, at 2:30 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>
>>>> On 06/10/2013 02:17 PM, John Moyer wrote:
>>>>> I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log.
>>>>>
>>>>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate
>>>>
>>>> Is this the same issue we are discussing on the devel list?
>>>> The intermediate CA case?
>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>> _____________________________________________________
>>>>> John Moyer
>>>>> Director, IT Operations
>>>>> On Jun 10, 2013, at 9:52 AM, John Moyer <john.moyer at digitalreasoning.com> wrote:
>>>>>
>>>>>> Rob,
>>>>>>
>>>>>> Sorry for the late response I tried the following
>>>>>>
>>>>>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>>>>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>>>>>> [root at etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>>>>>> certutil: certificate is valid
>>>>>>
>>>>>> After this I tried to add a machine and got the same error:
>>>>>>
>>>>>> [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>>> Hostname: server.example.com
>>>>>> Realm: EXAMPLE.COM
>>>>>> DNS Domain: example.com
>>>>>> IPA Server: server.example.com
>>>>>> BaseDN: dc=example,dc=com
>>>>>>
>>>>>> Synchronizing time with KDC...
>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>>>>>
>>>>>> Installation failed. Rolling back changes.
>>>>>> IPA client is not configured on this system.
>>>>>>
>>>>>> Any additional suggestions?
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> _____________________________________________________
>>>>>> John Moyer
>>>>>> Director, IT Operations
>>>>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>>>>>
>>>>>>> John Moyer wrote:
>>>>>>>> Rob,
>>>>>>>>
>>>>>>>> MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now.
>>>>>>>>
>>>>>>>>
>>>>>>>> --------
>>>>>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>>>>>
>>>>>>>> Certificate Nickname Trust Attributes
>>>>>>>> SSL,S/MIME,JAR/XPI
>>>>>>>>
>>>>>>>> MyIPA u,u,u
>>>>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>>>>>>>>
>>>>>>>> ----------
>>>>>>>>
>>>>>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>>>>>
>>>>>>>> /etc/init.d/dirsrv restart
>>>>>>>> Shutting down dirsrv:
>>>>>>>> EXAMPLE-COM... [ OK ]
>>>>>>>> PKI-IPA... [ OK ]
>>>>>>>> Starting dirsrv:
>>>>>>>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>>>>>>> [ OK ]
>>>>>>>> PKI-IPA... [ OK ]
>>>>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
>>>>>>>
>>>>>>>> I'm also getting the following when I try to add a server to IPA:
>>>>>>>>
>>>>>>>> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>>>>>> Realm: EXAMPLE.COM
>>>>>>>> DNS Domain: example.com
>>>>>>>> IPA Server: server.example.com
>>>>>>>> BaseDN: dc=example,dc=com
>>>>>>>>
>>>>>>>> Synchronizing time with KDC...
>>>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>>>>>>>
>>>>>>>> Installation failed. Rolling back changes.
>>>>>>>> IPA client is not configured on this system.
>>>>>>> The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP.
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>> --
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager for IdM portfolio
>>>> Red Hat Inc.
>>>>
>>>>
>>>> -------------------------------
>>>> Looking to carve out IT costs?
>>>> www.redhat.com/carveoutcosts/
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>
More information about the Freeipa-users
mailing list