[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
John Moyer
john.moyer at digitalreasoning.com
Tue Jun 11 14:07:59 UTC 2013
So this is what I did and how it went afterwards:
[root at nssdb]# ln -s /usr/lib64/libnssckbi.so libnssckbi.so
[root at nssdb]# ls -la
total 132
drwxr-xr-x 2 root root 4096 Jun 11 13:50 .
drwxr-xr-x 8 root root 4096 Jun 11 13:50 ..
-rw-r--r-- 1 root root 65536 Jan 12 2010 cert8.db
-rw-r--r-- 1 root root 9216 Jan 12 2010 cert9.db
-rw-r--r-- 1 root root 16384 Jan 12 2010 key3.db
-rw-r--r-- 1 root root 11264 Jan 12 2010 key4.db
lrwxrwxrwx 1 root root 24 Jun 11 13:50 libnssckbi.so -> /usr/lib64/libnssckbi.so
-rw-r--r-- 1 root root 451 Jan 10 02:13 pkcs11.txt
-rw-r--r-- 1 root root 16384 Jan 12 2010 secmod.db
[root at nssdb]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "blah" -U
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@ nssdb]#
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On Jun 10, 2013, at 4:42 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> John Moyer wrote:
>> Rob,
>>
>> Do you mean doing this? If not let me know.
>>
>> [root at pki]# ls -la
>> total 32
>> drwxr-xr-x 8 root root 4096 Jun 10 20:23 .
>> drwxr-xr-x 90 root root 4096 Jun 10 18:05 ..
>> drwxr-xr-x 6 root root 4096 Mar 4 22:22 CA
>> drwxr-xr-x 2 root root 4096 Jul 11 2012 java
>> lrwxrwxrwx 1 root root 24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so
>> drwxr-xr-x 2 root root 4096 Jun 10 18:05 nssdb.orig
>> drwxr-xr-x 2 root root 4096 Mar 21 15:19 rpm-gpg
>> drwx------ 2 root root 4096 Feb 22 05:07 rsyslog
>> drwxr-xr-x 5 root root 4096 Mar 21 15:18 tls
>
> No, you need to link the shared library into the nssdb directory. nssdb should contain 3 db files, cert8, key3 and secmod. This is the common NSS db that the client uses.
>
>> After I did that I tried to enroll this system and got the same error.
>>
>> The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the server which is the CA Cert gotten from godaddy. You also had me change this into a der version of the Cert (using openssl) and jam that into the Directory server.
>
> Right but which one, there are two.
>
> rob
>
>>
>>
>> Thanks,
>> _____________________________________________________
>> John Moyer
>> Director, IT Operations
>> Digital Reasoning Systems, Inc.
>> John.Moyer at digitalreasoning.com
>> Office: 703.678.2311
>> Mobile: 240.460.0023
>> Fax: 703.678.2312
>> www.digitalreasoning.com
>>
>> On Jun 10, 2013, at 4:19 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>> John Moyer wrote:
>>>> Rob,
>>>>
>>>> I think you had me look at that already. This is the output from certutil on that:
>>>>
>>>> [root@ ~]# certutil -d /etc/httpd/alias -L
>>>>
>>>> Certificate Nickname Trust Attributes
>>>> SSL,S/MIME,JAR/XPI
>>>>
>>>> MyIPA u,u,u
>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>>>
>>> What certificate does the client have in /etc/ipa/ca.crt? Is it either one of these?
>>>
>>> Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to enrollment?
>>>
>>> rob
>>>
>>>>
>>>>
>>>>
>>>> Dmitri,
>>>>
>>>> This is the same issue I've been having for a while, other things were wrong before all of them stemmed from putting in the Godaddy signed cert.
>>>>
>>>> Thanks,
>>>> _____________________________________________________
>>>> John Moyer
>>>> Director, IT Operations
>>>>
>>>> On Jun 10, 2013, at 2:30 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>
>>>>> On 06/10/2013 02:17 PM, John Moyer wrote:
>>>>>> I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log.
>>>>>>
>>>>>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate
>>>>>
>>>>> Is this the same issue we are discussing on the devel list?
>>>>> The intermediate CA case?
>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> _____________________________________________________
>>>>>> John Moyer
>>>>>> Director, IT Operations
>>>>>> On Jun 10, 2013, at 9:52 AM, John Moyer <john.moyer at digitalreasoning.com> wrote:
>>>>>>
>>>>>>> Rob,
>>>>>>>
>>>>>>> Sorry for the late response I tried the following
>>>>>>>
>>>>>>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>>>>>> [root at etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>>>>>>> [root at etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>>>>>>> certutil: certificate is valid
>>>>>>>
>>>>>>> After this I tried to add a machine and got the same error:
>>>>>>>
>>>>>>> [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>>>> Hostname: server.example.com
>>>>>>> Realm: EXAMPLE.COM
>>>>>>> DNS Domain: example.com
>>>>>>> IPA Server: server.example.com
>>>>>>> BaseDN: dc=example,dc=com
>>>>>>>
>>>>>>> Synchronizing time with KDC...
>>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>>>>>>
>>>>>>> Installation failed. Rolling back changes.
>>>>>>> IPA client is not configured on this system.
>>>>>>>
>>>>>>> Any additional suggestions?
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> _____________________________________________________
>>>>>>> John Moyer
>>>>>>> Director, IT Operations
>>>>>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>>>>>>
>>>>>>>> John Moyer wrote:
>>>>>>>>> Rob,
>>>>>>>>>
>>>>>>>>> MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --------
>>>>>>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>>>>>>
>>>>>>>>> Certificate Nickname Trust Attributes
>>>>>>>>> SSL,S/MIME,JAR/XPI
>>>>>>>>>
>>>>>>>>> MyIPA u,u,u
>>>>>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>>>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>>>>>>>>>
>>>>>>>>> ----------
>>>>>>>>>
>>>>>>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>>>>>>
>>>>>>>>> /etc/init.d/dirsrv restart
>>>>>>>>> Shutting down dirsrv:
>>>>>>>>> EXAMPLE-COM... [ OK ]
>>>>>>>>> PKI-IPA... [ OK ]
>>>>>>>>> Starting dirsrv:
>>>>>>>>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
>>>>>>>>> [ OK ]
>>>>>>>>> PKI-IPA... [ OK ]
>>>>>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
>>>>>>>>
>>>>>>>>> I'm also getting the following when I try to add a server to IPA:
>>>>>>>>>
>>>>>>>>> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>>>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>>>>>>> Realm: EXAMPLE.COM
>>>>>>>>> DNS Domain: example.com
>>>>>>>>> IPA Server: server.example.com
>>>>>>>>> BaseDN: dc=example,dc=com
>>>>>>>>>
>>>>>>>>> Synchronizing time with KDC...
>>>>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>>>>>>>>>
>>>>>>>>> Installation failed. Rolling back changes.
>>>>>>>>> IPA client is not configured on this system.
>>>>>>>> The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP.
>>>>>>>>
>>>>>>>> rob
>>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>>
>>>>> --
>>>>> Thank you,
>>>>> Dmitri Pal
>>>>>
>>>>> Sr. Engineering Manager for IdM portfolio
>>>>> Red Hat Inc.
>>>>>
>>>>>
>>>>> -------------------------------
>>>>> Looking to carve out IT costs?
>>>>> www.redhat.com/carveoutcosts/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>
>
More information about the Freeipa-users
mailing list