On 11/06/2012 11:58 AM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> On 11/06/2012 08:07 AM, Rob Crittenden wrote:
>>> Tim Hughes wrote:
>>>>
>>>> I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to
>>>> ipa-server-2.2.0-16.el6.x86_64 with the following command
>>>>
>>>>
>>>> ipa migrate-ds ldaps://fedora-ds-server.internal --continue
>>>> --with-compat --base-dn=dc=custsvc,dc=mycompany
>>>> --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany
>>>> --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany
>>>>
>>>>
>>>> I get the following response.
>>>>
>>>>
>>>> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
>>>> ipa: DEBUG: cert valid True for
>>>> "CN=ipa-server.internal,O=CO.MYCOMPANY"
>>>> ipa: DEBUG: handshake complete, peer = 192.168.10.6:443
>>>> <http://192.168.10.6:443>
>>>> ipa: DEBUG: Caught fault 4203 from server
>>>> http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS
>>>> error
>>>> -8172:Peer's certificate issuer has been marked as not trusted by the
>>>> user.
>>>> ipa: DEBUG: Destroyed connection context.xmlclient
>>>> ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's
>>>> certificate issuer has been marked as not trusted by the user.
>>>>
>>>>
>>>> I am trying to work out which certificate is not trusted and how I
>>>> should make it trusted. Any help would be appreciated.
>>>
>>> I suspect you're going to need to add the CA that issued your LDAP
>>> server certificate to the IPA Apache NSS certificate database (where
>>> our admin framework runs).
>>>
>>> You'd add it something like this:
>>>
>>> # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a <
>>> /path/to/ca.crt
>>>
>>> The -n 'LDAP CA' adds a nickname to the CA. There is nothing special
>>> about this, it just needs to be unique. Use something meaningful to
>>> you.
>>>
>>> Then restart the httpd service and try the migration again.
>>>
>>> I don't know if we've tested using ldaps, so if my suggestion works
>>> can you let us know?
>>
>> IMO the migrate-ds command should have additional argument to point to
>> the cert file to use for connection.
>> Then the framework should get the cert and import it into the store
>> itself.
>>
>> Rob, do you agree that this would be a valid RFE?
>
> Yup, certainly something that would make things easier.
>
> rob
>
https://fedorahosted.org/freeipa/ticket/3243

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to