[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Dmitri Pal
dpal at redhat.com
Thu May 23 22:59:38 UTC 2013
On 05/23/2013 05:10 PM, John Moyer wrote:
> Rob,
>
> I tried what you suggested on the client, and that did not work. I copied my cert over those two files you suggested that was easy. However, is there a more manually way to change that LDAP setting you are talking about. The LDAP server is not letting me in because of the cert error. Like I see some settings in /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif can I manipulate those to match the new SSL cert nickname that is used in NSS for the Godaddy cert? or to turn off SSL so I can manipulate it?
I think if you run ldapmodify as a directory manager on the server
machine using ldapi you would be able to bypass the cert check.
>
>
>
> Thanks,
> _____________________________________________________
> John Moyer
> Director, IT Operations
> Digital Reasoning Systems, Inc
>
> On May 23, 2013, at 4:20 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
>> John Moyer wrote:
>>> Dmitri,
>>>
>>> Here are the corresponding answers, thanks for the quick response.
>>>
>>>
>>> 1. ipa-client-3.0.0-26.el6_4.2.x86_64
>>> 2.
>>> [root@ ~]# ipa-client-install --domain=digitalreasoning.com
>>> <http://digitalreasoning.com> --server=ipa1.corp.digitalreasoning.com
>>> <http://ipa1.corp.digitalreasoning.com> --realm=EXAMPLE.COM
>>> <http://EXAMPLE.COM> -p builduser -w "BLAH" -U
>>> Hostname: client.example.com <http://client.example.com>
>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
>>> DNS Domain: example.com <http://example.com>
>>> IPA Server: server.example.com <http://server.example.com>
>>> BaseDN: dc=example,dc=com
>>>
>>> Synchronizing time with KDC...
>>> Joining realm failed: libcurl failed to execute the HTTP POST
>>> transaction. Peer certificate cannot be authenticated with known CA
>>> certificates
>>>
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>>
>>> 3.
>>> 2013-05-23T17:45:16Z DEBUG args=kinit builduser at EXAMPLE.COM
>>> <mailto:builduser at EXAMPLE.COM>
>>> 2013-05-23T17:45:16Z DEBUG stdout=Password for builduser at EXAMPLE.COM
>>> <mailto:builduser at EXAMPLE.COM>:
>>>
>>> 2013-05-23T17:45:16Z DEBUG stderr=
>>> 2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from
>>> ldap://server.example.com
>>> 2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are
>>> identical
>>> 2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com
>>> <http://server.example.com> -b dc=example,dc=com
>>> 2013-05-23T17:45:16Z DEBUG stdout=
>>> 2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP
>>> POST transaction. Peer certificate cannot be authenticated with known
>>> CA certificates
>>>
>>> 2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to
>>> execute the HTTP POST transaction. Peer certificate cannot be
>>> authenticated with known CA certificates
>>>
>>> 2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
>>> 2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.
>> You need to put the Go Daddy CA cert into LDAP in cn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificate attribute. And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.
>>
>> It looks like this isn't being done automatically by ipa-server-certinstall. I opened https://fedorahosted.org/freeipa/ticket/3641
>>
>> A quick fix would be to try this on the client machine before trying enrollment:
>>
>> # cd /etc/pki/nssdb/
>> # ln -s /usr/lib64/nss/libnssckbi.so .
>>
>> (or lib if a 32-bit machine)
>>
>> That will add the global bundle to the NSS database. Then re-try the enrollment, it may work.
>>
>> rob
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list