[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Rob Crittenden
rcritten at redhat.com
Wed May 29 18:09:13 UTC 2013
John Moyer wrote:
> Rob,
>
> MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now.
>
>
> --------
> certutil -d /etc/httpd/alias -L -h internal
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> MyIPA u,u,u
> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>
> ----------
>
> I'm still getting the following when I try to restart the dirsrv:
>
> /etc/init.d/dirsrv restart
> Shutting down dirsrv:
> EXAMPLE-COM... [ OK ]
> PKI-IPA... [ OK ]
> Starting dirsrv:
> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.)
> [ OK ]
> PKI-IPA... [ OK ]
You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as
well.
>
> I'm also getting the following when I try to add a server to IPA:
>
> ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
> Hostname: ip-10-133-38-119.ec2.internal
> Realm: EXAMPLE.COM
> DNS Domain: example.com
> IPA Server: server.example.com
> BaseDN: dc=example,dc=com
>
> Synchronizing time with KDC...
> Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
>
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
The client installer downloads the CA cert from LDAP, so make sure you
have the GoDaddy CA in LDAP.
rob
More information about the Freeipa-users
mailing list