Hi,

Yes its a "intermediate CA" In the real world combining them is a huge issue, 
ie making a single joined certificate...It not likely many sites would go to 
the pain to do that....I think you need to re-visit that assumption.....

The older docs suggested a manual import of the root cert is possible?

regards
________________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 30 March 2011 9:27 a.m.
To: Steven Jones
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure

On 03/29/2011 02:14 PM, Steven Jones wrote:
> So I need 2 certificates?
No.
> and I have to manually add the root CA with certutil?
No.
> to the IPA master as a separate process?
No.

You only need the CA certificate for the CA that issued the MS AD server
certificate.
ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer
will add the CA.

If the MS CA is an intermediate CA, you should ask the administrator to
give you a single CA certificate file (base64 encoded) that contains the
intermediate CA and all of the parent CA up to the root CA.
> regards
>
>
> ________________________________________
> From: Rob Crittenden [rcrit...@redhat.com]
> Sent: Wednesday, 30 March 2011 9:05 a.m.
> To: Steven Jones
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] AD setup failure
>
> Steven Jones wrote:
>> Hi,
>>
>> My Windows person suggests because this is a self signed cert, the client 
>> needs to be forced to trust it....?
> That's what we're doing here. You need to provide the CA that issued the
> SSL certificate for the AD server we're connecting to.
>
> I'm guessing they didn't give you the root CA cert.
>
> rob
>
>> regards
>>
>> Steven
>> ________________________________________
>> From: Rob Crittenden [rcrit...@redhat.com]
>> Sent: Wednesday, 30 March 2011 2:50 a.m.
>> To: Steven Jones
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] AD setup failure
>>
>> Steven Jones wrote:
>>> Got a bit further.......I was missing   "--passsync"
>> I think you were using the V1 documentation. The "Enterprise Identity
>> Management Guide" is what you want off freeipa.org in the Documentation
>> section.
>>
>>> [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync 
>>> --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B 
>>> --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are 
>>> required to create a winsync agreement
>>> [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync 
>>> --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B 
>>> --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer 
>>> dc0001.ipa.ac.nz -v
>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database 
>>> for fed14-64-ipam001.ipa.ac.nz
>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 
>>> 'desc': 'Connect error'}
>>> unexpected error: Failed to setup winsync replication
>>> [root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
>>> dc0001.ipa.ac.nz has address 192.168.101.2
>>> [root@fed14-64-ipam001 samba]#
>>>
>>> But still isnt working.........
>> I think you have the wrong AD cert. -8179 translates to "Certificate is
>> signed by an unknown issuer". Can you verify that you have the AD CA
>> certificate?
>>
>> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to