[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer john.moyer at digitalreasoning.com
Tue Jun 11 14:07:59 UTC 2013 

So this is what I did and how it went afterwards: 

[root at nssdb]# ln -s /usr/lib64/libnssckbi.so libnssckbi.so
[root at nssdb]# ls -la
total 132
drwxr-xr-x 2 root root  4096 Jun 11 13:50 .
drwxr-xr-x 8 root root  4096 Jun 11 13:50 ..
-rw-r--r-- 1 root root 65536 Jan 12  2010 cert8.db
-rw-r--r-- 1 root root  9216 Jan 12  2010 cert9.db
-rw-r--r-- 1 root root 16384 Jan 12  2010 key3.db
-rw-r--r-- 1 root root 11264 Jan 12  2010 key4.db
lrwxrwxrwx 1 root root    24 Jun 11 13:50 libnssckbi.so -> /usr/lib64/libnssckbi.so
-rw-r--r-- 1 root root   451 Jan 10 02:13 pkcs11.txt
-rw-r--r-- 1 root root 16384 Jan 12  2010 secmod.db
[root at nssdb]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "blah" -U
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@ nssdb]#

Thanks, 
_____________________________________________________
John Moyer
Director, IT Operations
On Jun 10, 2013, at 4:42 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> John Moyer wrote:
>> Rob,
>> 
>> 	Do you mean doing this?  If not let me know.
>> 
>> [root at pki]# ls -la
>> total 32
>> drwxr-xr-x  8 root root 4096 Jun 10 20:23 .
>> drwxr-xr-x 90 root root 4096 Jun 10 18:05 ..
>> drwxr-xr-x  6 root root 4096 Mar  4 22:22 CA
>> drwxr-xr-x  2 root root 4096 Jul 11  2012 java
>> lrwxrwxrwx  1 root root   24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so
>> drwxr-xr-x  2 root root 4096 Jun 10 18:05 nssdb.orig
>> drwxr-xr-x  2 root root 4096 Mar 21 15:19 rpm-gpg
>> drwx------  2 root root 4096 Feb 22 05:07 rsyslog
>> drwxr-xr-x  5 root root 4096 Mar 21 15:18 tls
> 
> No, you need to link the shared library into the nssdb directory. nssdb should contain 3 db files, cert8, key3 and secmod. This is the common NSS db that the client uses.
> 
>> After I did that I tried to enroll this system and got the same error.
>> 
>> The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the server which is the CA Cert gotten from godaddy.   You also had me change this into a der version of the Cert (using openssl) and jam that into the Directory server.
> 
> Right but which one, there are two.
> 
> rob
> 
>> 
>> 
>> Thanks,
>> _____________________________________________________
>> John Moyer
>> Director, IT Operations
>> Digital Reasoning Systems, Inc.
>> John.Moyer at digitalreasoning.com
>> Office:	703.678.2311
>> Mobile:	240.460.0023
>> Fax:		703.678.2312
>> www.digitalreasoning.com
>> 
>> On Jun 10, 2013, at 4:19 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> 
>>> John Moyer wrote:
>>>> Rob,
>>>> 
>>>> 	I think you had me look at that already.   This is the output from certutil on that:
>>>> 
>>>> [root@ ~]# certutil -d /etc/httpd/alias -L
>>>> 
>>>> Certificate Nickname                                         Trust Attributes
>>>>                                                              SSL,S/MIME,JAR/XPI
>>>> 
>>>> MyIPA                                                        u,u,u
>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,
>>> 
>>> What certificate does the client have in /etc/ipa/ca.crt? Is it either one of these?
>>> 
>>> Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to enrollment?
>>> 
>>> rob
>>> 
>>>> 
>>>> 
>>>> 
>>>> Dmitri,
>>>> 
>>>> 	This is the same issue I've been having for a while, other things were wrong before all of them stemmed from putting in the Godaddy signed cert.
>>>> 
>>>> Thanks,
>>>> _____________________________________________________
>>>> John Moyer
>>>> Director, IT Operations
>>>> 
>>>> On Jun 10, 2013, at 2:30 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>> 
>>>>> On 06/10/2013 02:17 PM, John Moyer wrote:
>>>>>> I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log.
>>>>>> 
>>>>>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate
>>>>> 
>>>>> Is this the same issue we are discussing on the devel list?
>>>>> The intermediate CA case?
>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Thanks,
>>>>>> _____________________________________________________
>>>>>> John Moyer
>>>>>> Director, IT Operations
>>>>>> On Jun 10, 2013, at 9:52 AM, John Moyer <john.moyer at digitalreasoning.com> wrote:
>>>>>> 
>>>>>>> Rob,
>>>>>>> 
>>>>>>> 	Sorry for the late response I tried the following
>>>>>>> 
>>>>>>> [root at etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>>>>>> [root at etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>>>>>>> [root at etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>>>>>>> certutil: certificate is valid
>>>>>>> 
>>>>>>> After this I tried to add a machine and got the same error:
>>>>>>> 
>>>>>>> [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>>>> Hostname: server.example.com
>>>>>>> Realm: EXAMPLE.COM
>>>>>>> DNS Domain: example.com
>>>>>>> IPA Server: server.example.com
>>>>>>> BaseDN: dc=example,dc=com
>>>>>>> 
>>>>>>> Synchronizing time with KDC...
>>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates
>>>>>>> 
>>>>>>> Installation failed. Rolling back changes.
>>>>>>> IPA client is not configured on this system.
>>>>>>> 
>>>>>>> Any additional suggestions?
>>>>>>> 
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> _____________________________________________________
>>>>>>> John Moyer
>>>>>>> Director, IT Operations
>>>>>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>>>>>> 
>>>>>>>> John Moyer wrote:
>>>>>>>>> Rob,
>>>>>>>>> 
>>>>>>>>> 	MyIPA I believe was installed by IPA.  I did everything you suggested, the below is what it looks like now.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --------
>>>>>>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>>>>>> 
>>>>>>>>> Certificate Nickname                                         Trust Attributes
>>>>>>>>>                                                            SSL,S/MIME,JAR/XPI
>>>>>>>>> 
>>>>>>>>> MyIPA                                                        u,u,u
>>>>>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>>>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,
>>>>>>>>> 
>>>>>>>>> ----------
>>>>>>>>> 
>>>>>>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>>>>>> 
>>>>>>>>> /etc/init.d/dirsrv restart
>>>>>>>>> Shutting down dirsrv:
>>>>>>>>>   EXAMPLE-COM...                                [  OK  ]
>>>>>>>>>   PKI-IPA...                                             [  OK  ]
>>>>>>>>> Starting dirsrv:
>>>>>>>>>   EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>>>>>>>>                                                          [  OK  ]
>>>>>>>>>   PKI-IPA...                                             [  OK  ]
>>>>>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
>>>>>>>> 
>>>>>>>>> I'm also getting the following when I  try to add a server to IPA:
>>>>>>>>> 
>>>>>>>>> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>>>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>>>>>>> Realm: EXAMPLE.COM
>>>>>>>>> DNS Domain: example.com
>>>>>>>>> IPA Server: server.example.com
>>>>>>>>> BaseDN: dc=example,dc=com
>>>>>>>>> 
>>>>>>>>> Synchronizing time with KDC...
>>>>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates
>>>>>>>>> 
>>>>>>>>> Installation failed. Rolling back changes.
>>>>>>>>> IPA client is not configured on this system.
>>>>>>>> The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP.
>>>>>>>> 
>>>>>>>> rob
>>>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> 
>>>>> 
>>>>> --
>>>>> Thank you,
>>>>> Dmitri Pal
>>>>> 
>>>>> Sr. Engineering Manager for IdM portfolio
>>>>> Red Hat Inc.
>>>>> 
>>>>> 
>>>>> -------------------------------
>>>>> Looking to carve out IT costs?
>>>>> www.redhat.com/carveoutcosts/
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> 
>>> 
>> 
>

More information about the Freeipa-users mailing list