Thanks guys. I will try and have a go tomorrow and let you know how it goes.
Regards Tim On 6 Nov 2012 18:20, "Dmitri Pal" <[email protected]> wrote: > On 11/06/2012 11:58 AM, Rob Crittenden wrote: > > Dmitri Pal wrote: > >> On 11/06/2012 08:07 AM, Rob Crittenden wrote: > >>> Tim Hughes wrote: > >>>> > >>>> I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to > >>>> ipa-server-2.2.0-16.el6.x86_64 with the following command > >>>> > >>>> > >>>> ipa migrate-ds ldaps://fedora-ds-server.internal --continue > >>>> --with-compat --base-dn=dc=custsvc,dc=mycompany > >>>> --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany > >>>> --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany > >>>> > >>>> > >>>> I get the following response. > >>>> > >>>> > >>>> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer > >>>> ipa: DEBUG: cert valid True for > >>>> "CN=ipa-server.internal,O=CO.MYCOMPANY" > >>>> ipa: DEBUG: handshake complete, peer = 192.168.10.6:443 > >>>> <http://192.168.10.6:443> > >>>> ipa: DEBUG: Caught fault 4203 from server > >>>> http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS > >>>> error > >>>> -8172:Peer's certificate issuer has been marked as not trusted by the > >>>> user. > >>>> ipa: DEBUG: Destroyed connection context.xmlclient > >>>> ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's > >>>> certificate issuer has been marked as not trusted by the user. > >>>> > >>>> > >>>> I am trying to work out which certificate is not trusted and how I > >>>> should make it trusted. Any help would be appreciated. > >>> > >>> I suspect you're going to need to add the CA that issued your LDAP > >>> server certificate to the IPA Apache NSS certificate database (where > >>> our admin framework runs). > >>> > >>> You'd add it something like this: > >>> > >>> # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a < > >>> /path/to/ca.crt > >>> > >>> The -n 'LDAP CA' adds a nickname to the CA. There is nothing special > >>> about this, it just needs to be unique. Use something meaningful to > >>> you. > >>> > >>> Then restart the httpd service and try the migration again. > >>> > >>> I don't know if we've tested using ldaps, so if my suggestion works > >>> can you let us know? > >> > >> IMO the migrate-ds command should have additional argument to point to > >> the cert file to use for connection. > >> Then the framework should get the cert and import it into the store > >> itself. > >> > >> Rob, do you agree that this would be a valid RFE? > > > > Yup, certainly something that would make things easier. > > > > rob > > > https://fedorahosted.org/freeipa/ticket/3243 > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
