[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Rob Crittenden
rcritten at redhat.com
Thu May 23 20:20:48 UTC 2013
John Moyer wrote:
> Dmitri,
>
> Here are the corresponding answers, thanks for the quick response.
>
>
> 1. ipa-client-3.0.0-26.el6_4.2.x86_64
> 2.
> [root@ ~]# ipa-client-install --domain=digitalreasoning.com
> <http://digitalreasoning.com> --server=ipa1.corp.digitalreasoning.com
> <http://ipa1.corp.digitalreasoning.com> --realm=EXAMPLE.COM
> <http://EXAMPLE.COM> -p builduser -w "BLAH" -U
> Hostname: client.example.com <http://client.example.com>
> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
> DNS Domain: example.com <http://example.com>
> IPA Server: server.example.com <http://server.example.com>
> BaseDN: dc=example,dc=com
>
> Synchronizing time with KDC...
> Joining realm failed: libcurl failed to execute the HTTP POST
> transaction. Peer certificate cannot be authenticated with known CA
> certificates
>
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> 3.
> 2013-05-23T17:45:16Z DEBUG args=kinit builduser at EXAMPLE.COM
> <mailto:builduser at EXAMPLE.COM>
> 2013-05-23T17:45:16Z DEBUG stdout=Password for builduser at EXAMPLE.COM
> <mailto:builduser at EXAMPLE.COM>:
>
> 2013-05-23T17:45:16Z DEBUG stderr=
> 2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from
> ldap://server.example.com
> 2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are
> identical
> 2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com
> <http://server.example.com> -b dc=example,dc=com
> 2013-05-23T17:45:16Z DEBUG stdout=
> 2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP
> POST transaction. Peer certificate cannot be authenticated with known
> CA certificates
>
> 2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to
> execute the HTTP POST transaction. Peer certificate cannot be
> authenticated with known CA certificates
>
> 2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
> 2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.
You need to put the Go Daddy CA cert into LDAP in
cn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificate
attribute. And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.
It looks like this isn't being done automatically by
ipa-server-certinstall. I opened
https://fedorahosted.org/freeipa/ticket/3641
A quick fix would be to try this on the client machine before trying
enrollment:
# cd /etc/pki/nssdb/
# ln -s /usr/lib64/nss/libnssckbi.so .
(or lib if a 32-bit machine)
That will add the global bundle to the NSS database. Then re-try the
enrollment, it may work.
rob
More information about the Freeipa-users
mailing list