Ok, so the ipa-server-certinstall script seems to be where things did not work as I perhaps expected them to.
I manually put the certificates in the dirsrv cert db, and the web interface cert db. The ipa-replica-manage uses replication.py, which is declaring CACERT="/usr/share/ipa/html/ca.crt" It looks like this is where the error is being caused. The certification there is still the original "IPA Test Certificate Authority". If I point it to the DigiCertCA.crt (which should work), OR the AD-ca.crt file, I get the same error as originally mentioned when running 'ipa-replica-manage list'. If I comment out the CACERT variable it does as expected: unexpected error: global name 'CACERT' is not defined So, can someone give me some advice about where else it may be reading the certificate from, or how I can do things "the proper way" for IPA? Thanks! On Tue, Jan 11, 2011 at 9:54 AM, [email protected] <[email protected]>wrote: > Hi all, > > It seems something broke somewhere along the lines when I was trying to > set up Windows Sync. Please take a look at the following outputs. I can > connect both directions manually via SSL, but the actual ipa-replica-manage > script seems to be pulling certs from somewhere else. The current sync > between ipaserver-01 & ipaserver-02 is working fine. If anyone has any > suggestions, I would be open to them. Thanks! > > example.local = active directory domain > example.com = ipa realm > ----- > > [r...@ipaserver-01 ~]# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > DigiCertCA CT,,C > AD CA cert CT,,C > ipaserver-01 u,u,u > > #----- > # everything looks right > #----- > > [r...@ipaserver-01 ~]# > [r...@ipaserver-01 ~]# /usr/lib64/mozldap/ldapsearch -h > adserver-01.example.local -p 636 -Z -P > /etc/dirsrv/slapd-EXAMPLE-COM/cert8.db -D "[email protected]" -w > 'notrealpassword' -s base -b "" "objectclass=*" > version: 1 > dn: > currentTime: 20110111153848.0Z > ... > ... > supportedControl: 1.2.840.113556.1.4.1948 > supportedControl: 1.2.840.113556.1.4.1974 > supportedControl: 1.2.840.113556.1.4.1341 > supportedControl: 1.2.840.113556.1.4.2026 > supportedLDAPVersion: 3 > supportedLDAPVersion: 2 > supportedLDAPPolicies: MaxPoolThreads > ... > ... > dnsHostName: adserver-01.example.local > ldapServiceName: example.local:[email protected] > ... > ... > isSynchronized: TRUE > isGlobalCatalogReady: TRUE > domainFunctionality: 3 > forestFunctionality: 3 > domainControllerFunctionality: 3 > [r...@ipaserver-01 ~]# > > #----- > # good valid results for the query [reduced for clarity] > #----- > > > [r...@ipaserver-01 ~]# ipa-replica-manage list > Directory Manager password: > unexpected error: {'info': 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': > "Can't contact LDAP server"} > [r...@ipaserver-01 ~]# > > #----- > # welp, it looks like something is broken somewhere.. > #----- >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
