Ok, so the ipa-server-certinstall script seems to be where things did not
work as I perhaps expected them to.

I manually put the certificates in the dirsrv cert db, and the web interface
cert db.  The ipa-replica-manage uses replication.py, which is declaring

CACERT="/usr/share/ipa/html/ca.crt"

It looks like this is where the error is being caused.  The certification
there is still the original "IPA Test Certificate Authority".  If I point it
to the DigiCertCA.crt (which should work), OR the AD-ca.crt file, I get the
same error as originally mentioned when running 'ipa-replica-manage list'.
If I comment out the CACERT variable it does as expected:  unexpected error:
global name 'CACERT' is not defined

So, can someone give me some advice about where else it may be reading the
certificate from, or how I can do things "the proper way" for IPA?

Thanks!

On Tue, Jan 11, 2011 at 9:54 AM, d...@killbrad.com <d...@killbrad.com>wrote:

> Hi all,
>
>   It seems something broke somewhere along the lines when I was trying to
> set up Windows Sync.  Please take a look at the following outputs.  I can
> connect both directions manually via SSL, but the actual ipa-replica-manage
> script seems to be pulling certs from somewhere else.  The current sync
> between ipaserver-01 & ipaserver-02 is working fine.  If anyone has any
> suggestions, I would be open to them.  Thanks!
>
> example.local = active directory domain
> example.com = ipa realm
> -----
>
> [r...@ipaserver-01 ~]# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
>
> Certificate Nickname                                         Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> DigiCertCA                                                   CT,,C
> AD CA cert                                                   CT,,C
> ipaserver-01                                                 u,u,u
>
> #-----
> # everything looks right
> #-----
>
> [r...@ipaserver-01 ~]#
> [r...@ipaserver-01 ~]# /usr/lib64/mozldap/ldapsearch -h
> adserver-01.example.local -p 636 -Z -P
> /etc/dirsrv/slapd-EXAMPLE-COM/cert8.db -D "passs...@example.local" -w
> 'notrealpassword' -s base -b "" "objectclass=*"
> version: 1
> dn:
> currentTime: 20110111153848.0Z
> ...
> ...
> supportedControl: 1.2.840.113556.1.4.1948
> supportedControl: 1.2.840.113556.1.4.1974
> supportedControl: 1.2.840.113556.1.4.1341
> supportedControl: 1.2.840.113556.1.4.2026
> supportedLDAPVersion: 3
> supportedLDAPVersion: 2
> supportedLDAPPolicies: MaxPoolThreads
> ...
> ...
> dnsHostName: adserver-01.example.local
> ldapServiceName: example.local:adserver-...@example.local
> ...
> ...
> isSynchronized: TRUE
> isGlobalCatalogReady: TRUE
> domainFunctionality: 3
> forestFunctionality: 3
> domainControllerFunctionality: 3
> [r...@ipaserver-01 ~]#
>
> #-----
> # good valid results for the query [reduced for clarity]
> #-----
>
>
> [r...@ipaserver-01 ~]# ipa-replica-manage list
> Directory Manager password:
> unexpected error: {'info': 'error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
> "Can't contact LDAP server"}
> [r...@ipaserver-01 ~]#
>
> #-----
> # welp, it looks like something is broken somewhere..
> #-----
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to