[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
John Moyer
john.moyer at digitalreasoning.com
Thu May 23 21:10:05 UTC 2013
Rob,
I tried what you suggested on the client, and that did not work. I copied my cert over those two files you suggested that was easy. However, is there a more manually way to change that LDAP setting you are talking about. The LDAP server is not letting me in because of the cert error. Like I see some settings in /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif can I manipulate those to match the new SSL cert nickname that is used in NSS for the Godaddy cert? or to turn off SSL so I can manipulate it?
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc
On May 23, 2013, at 4:20 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> John Moyer wrote:
>> Dmitri,
>>
>> Here are the corresponding answers, thanks for the quick response.
>>
>>
>> 1. ipa-client-3.0.0-26.el6_4.2.x86_64
>> 2.
>> [root@ ~]# ipa-client-install --domain=digitalreasoning.com
>> <http://digitalreasoning.com> --server=ipa1.corp.digitalreasoning.com
>> <http://ipa1.corp.digitalreasoning.com> --realm=EXAMPLE.COM
>> <http://EXAMPLE.COM> -p builduser -w "BLAH" -U
>> Hostname: client.example.com <http://client.example.com>
>> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
>> DNS Domain: example.com <http://example.com>
>> IPA Server: server.example.com <http://server.example.com>
>> BaseDN: dc=example,dc=com
>>
>> Synchronizing time with KDC...
>> Joining realm failed: libcurl failed to execute the HTTP POST
>> transaction. Peer certificate cannot be authenticated with known CA
>> certificates
>>
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>> 3.
>> 2013-05-23T17:45:16Z DEBUG args=kinit builduser at EXAMPLE.COM
>> <mailto:builduser at EXAMPLE.COM>
>> 2013-05-23T17:45:16Z DEBUG stdout=Password for builduser at EXAMPLE.COM
>> <mailto:builduser at EXAMPLE.COM>:
>>
>> 2013-05-23T17:45:16Z DEBUG stderr=
>> 2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from
>> ldap://server.example.com
>> 2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are
>> identical
>> 2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com
>> <http://server.example.com> -b dc=example,dc=com
>> 2013-05-23T17:45:16Z DEBUG stdout=
>> 2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP
>> POST transaction. Peer certificate cannot be authenticated with known
>> CA certificates
>>
>> 2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to
>> execute the HTTP POST transaction. Peer certificate cannot be
>> authenticated with known CA certificates
>>
>> 2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
>> 2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.
>
> You need to put the Go Daddy CA cert into LDAP in cn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificate attribute. And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.
>
> It looks like this isn't being done automatically by ipa-server-certinstall. I opened https://fedorahosted.org/freeipa/ticket/3641
>
> A quick fix would be to try this on the client machine before trying enrollment:
>
> # cd /etc/pki/nssdb/
> # ln -s /usr/lib64/nss/libnssckbi.so .
>
> (or lib if a 32-bit machine)
>
> That will add the global bundle to the NSS database. Then re-try the enrollment, it may work.
>
> rob
More information about the Freeipa-users
mailing list