[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Rob Crittenden rcritten at redhat.com
Fri May 24 20:17:38 UTC 2013 

John Moyer wrote:
> So I did that, and it executed perfectly (went back and checked that it did indeed replace the value as expected).  I got on the machine I was trying to add and got this:
>
> root@ ~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
> Hostname: blah.example.com
> Realm: EXAMPLE.COM
> DNS Domain: example.com
> IPA Server: server.example.com
> BaseDN: dc=example,dc=com
>
> Synchronizing time with KDC...
> The CA cert available from the IPA server does not match the
> local certificate available at /etc/ipa/ca.crt
> Existing CA cert:
>      Subject:     CN=Certificate Authority,O=EXAMPLE.COM
>      Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
>      Valid From:  Wed Mar 02 18:52:05 2013 UTC
>      Valid Until: Sun Mar 02 18:52:05 2033 UTC
>
> Retrieved CA cert:
>      Subject:     CN=*.example.com,OU=Domain Control Validated,O=*.example.com
>      Issuer:      serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
>      Valid From:  Thu Dec 01 14:57:49 2011 UTC
>      Valid Until: Sun Dec 01 14:57:49 2013 UTC
>
> Cannot obtain CA certificate
> 'ldap://server.example.com' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> Then I tried to change the local machine's /etc/ipa/ca.crt to match the server.  I then got this:

Next time you can just remove /etc/ipa/ca.crt. The client will fetch an 
updated one. This is fixed upstream.

> [root@]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
> Hostname: blah.example.com
> Realm: EXAMPLE.COM
> DNS Domain: example.com
> IPA Server: server.example.com
> BaseDN: dc=example,dc=com
>
> Synchronizing time with KDC...
> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates
>
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.

You replace the web server cert as well, right? And restarted Apache?

rob

>
>
> Thanks,
> _____________________________________________________
> John Moyer
> Director, IT Operations
>
>
> On May 24, 2013, at 3:11 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
>> John Moyer wrote:
>>> So unfortunately a rebuild would be less than optimal for me, lots of servers and users.  So I've tried Dmitri's idea of ldapi and I got the access to LDAP now, however I may be going about this entire thing wrong.   I created an LDIF file that looks like this:
>>>
>>> dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
>>> 	changetype: modify
>>> 	replace: cacert
>>> 	cacert:  NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH
>>>
>>> Then I ran the following:
>>>
>>> ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D "cn=Directory Manager" -W -f /root/change-settings.ldif
>>>
>>> and I get the following error:
>>>
>>> Enter LDAP Password:
>>> modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com"
>>> ldap_modify: Object class violation (65)
>>> 	additional info: attribute "cacert" not allowed
>>>
>>
>> The attribute you want is caCertificate. What you need to do is convert your CA cert from PEM format to DER:
>>
>> openssl x509 -in /etc/ipa/ca.crt -out /tmp/ca.der -outform DER
>>
>> Then use this ldif:
>>
>> dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
>> changetype: modify
>> replace: cacertificate;binary
>> cacertificate;binary:< file:///tmp/ca.der
>>
>> That should do it.
>>
>> rob
>

More information about the Freeipa-users mailing list