On 6 May 2013 17:07, Martin Kosek <mko...@redhat.com> wrote:
> I am glad you made it working. Just for the record, CRL and OCSP revocation
> URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2
> will make it working again.
Thanks for the heads up Martin.
I will likely upgrade to 3.2 once Fedora 19 is released.
I am going to assume my 3.1 clients will be compatible?
> More information can be found out in FreeIPA.org wiki:
> Relevant upstream ticket:
> On 04/29/2013 06:59 AM, Peter Brown wrote:
> > I finally got this to work.
> > I managed to get an error message that told me it couldn't check the
> > of the certificates against a crl.
> > I tried to find out how to tell java where to find that crl but I these
> > discovered these options instead to tell java to not check a crl.
> > -Dcom.sun.net.ssl.checkRevocation=false
> > -Dcom.sun.security.enableCRLDP=false
> > On 26 April 2013 18:30, Petr Viktorin <pvikt...@redhat.com
> > <mailto:pvikt...@redhat.com>> wrote:
> > Hello,
> > On 04/26/2013 07:22 AM, Peter Brown wrote:
> > Hi everyone.
> > I am attempting to get Google Apps to sync with FreeIPA and I am
> > problems getting the sync utility to talk to freeipa.
> > It complains about the ssl cert.
> > I have it setup so it only accepts ssl or tls encrypted
> connections and
> > I don't want to turn that off.
> > I have imported the ca cert using the jre's keytool but it still
> > to connect.
> > I am getting the impression I need to import the ssl cert for
> the ldap
> > server into it as well.
> > The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the
> > certs. Make sure you import it with the right trust level (SSL
> > signing). Unfortunately I don't know about jre's keytool so I can't
> be more
> > specific.
> > I have no idea which certificate that is and I have no idea how
> > export it.
> > Do not do this. You should only explicitly trust the CA cert.
> > For example, if you trust the certs explicitly you'd have to
> re-import them
> > one by one when they are renewed.
> > Can someone please tell me how to do this?
> > If you really want to:
> > There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), and
> > for the LDAP server.
> > To export the httpd server certificate (to PEM):
> > $ certutil -L -d /etc/httpd/alias -n Server-Cert -a
> > To export the directory server certificate (to PEM):
> > $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert
> > But again, you don't need this for what you're trying to do.
> > --
> > Petrł
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipafirstname.lastname@example.org
> > https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users mailing list