[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer john.moyer at digitalreasoning.com
Thu May 23 18:56:33 UTC 2013 

Dmitri, 

Here are the corresponding answers, thanks for the quick response. 


1. ipa-client-3.0.0-26.el6_4.2.x86_64
2. 
[root@ ~]# ipa-client-install --domain=digitalreasoning.com --server=ipa1.corp.digitalreasoning.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: client.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

3. 
2013-05-23T17:45:16Z DEBUG args=kinit builduser at EXAMPLE.COM
2013-05-23T17:45:16Z DEBUG stdout=Password for builduser at EXAMPLE.COM:

2013-05-23T17:45:16Z DEBUG stderr=
2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from ldap://server.example.com
2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are identical
2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com -b dc=example,dc=com
2013-05-23T17:45:16Z DEBUG stdout=
2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates

2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates

2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.

Thanks, 
_____________________________________________________
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
John.Moyer at digitalreasoning.com
Office:	703.678.2311
Mobile:	240.460.0023
Fax:		703.678.2312
www.digitalreasoning.com

On May 23, 2013, at 2:50 PM, Dmitri Pal <dpal at redhat.com> wrote:

> On 05/23/2013 01:37 PM, John Moyer wrote:
>> 
>> So I found this page and followed it.  The http daemon works great (no longer complains about not being the cert for my URL.  However, now I can't bind anymore servers to my IPA server.   The current servers enrolled before I did this work great (and I can login using my IPA credentials).   However, I just can't add anymore.   Does anyone have any ideas?  I tried removing the certs and that made it so I can't start httpd (so I put the cert back). 
>> 
>> 
>> http://freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>> 
>> Thanks, 
>> _____________________________________________________
>> John Moyer
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> We need more info:
> 
> 1) What version of the client?
> 2) What is the output of the ipa-client-install?
> 3) What the client install log contains?
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130523/a928a6da/attachment.htm>

More information about the Freeipa-users mailing list