On 05/07/2013 04:51 AM, Peter Brown wrote:
> On 6 May 2013 17:07, Martin Kosek <mko...@redhat.com
> <mailto:mko...@redhat.com>> wrote:
> 
>     I am glad you made it working. Just for the record, CRL and OCSP 
> revocation
>     URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 
> that
>     will make it working again.
> 
> 
> Thanks for the heads up Martin.
> I will likely upgrade to 3.2 once Fedora 19 is released.
> 
> I am going to assume my 3.1 clients will be compatible?

Yes, this is a correct assumption. BTW we are just in a process of testing and
releasing FreeIPA 3.1.4 bugfixing release for Fedora 18 which will also contain
the CRL/OCSP URI fixes (will happen this week). Any help with testing 3.1.4
when it is released is appreciated.

Martin

>  
> 
> 
>     More information can be found out in FreeIPA.org wiki:
>     http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs
> 
>     Relevant upstream ticket:
>     https://fedorahosted.org/freeipa/ticket/3552
> 
>     Martin
> 
>     On 04/29/2013 06:59 AM, Peter Brown wrote:
>     > I finally got this to work.
>     >
>     > I managed to get an error message that told me it couldn't check the
>     revocation
>     > of the certificates against a crl.
>     > I tried to find out how to tell java where to find that crl but I these
>     > discovered these options instead to tell java to not check a crl.
>     > -Dcom.sun.net.ssl.checkRevocation=false
>     > -Dcom.sun.security.enableCRLDP=false
>     >
>     >
>     > On 26 April 2013 18:30, Petr Viktorin <pvikt...@redhat.com
>     <mailto:pvikt...@redhat.com>
>     > <mailto:pvikt...@redhat.com <mailto:pvikt...@redhat.com>>> wrote:
>     >
>     >     Hello,
>     >
>     >
>     >     On 04/26/2013 07:22 AM, Peter Brown wrote:
>     >
>     >         Hi everyone.
>     >
>     >         I am attempting to get Google Apps to sync with FreeIPA and I am
>     having
>     >         problems getting the sync utility to talk to freeipa.
>     >         It complains about the ssl cert.
>     >         I have it setup so it only accepts ssl or tls encrypted
>     connections and
>     >         I don't want to turn that off.
>     >         I have imported the ca cert using the jre's keytool but it still
>     refuses
>     >         to connect.
>     >         I am getting the impression I need to import the ssl cert for 
> the
>     ldap
>     >         server into it as well.
>     >
>     >
>     >     The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the 
> other
>     >     certs. Make sure you import it with the right trust level (SSL
>     certificate
>     >     signing). Unfortunately I don't know about jre's keytool so I can't
>     be more
>     >     specific.
>     >
>     >
>     >
>     >         I have no idea which certificate that is and I have no idea how 
> to
>     >         export it.
>     >
>     >
>     >     Do not do this. You should only explicitly trust the CA cert.
>     >     For example, if you trust the certs explicitly you'd have to
>     re-import them
>     >     one by one when they are renewed.
>     >
>     >
>     >         Can someone please tell me how to do this?
>     >
>     >
>     >     If you really want to:
>     >     There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), 
> and one
>     >     for the LDAP server.
>     >     To export the httpd server certificate (to PEM):
>     >     $ certutil -L -d /etc/httpd/alias -n Server-Cert -a
>     >     To export the directory server certificate (to PEM):
>     >     $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert 
> -a
>     >     But again, you don't need this for what you're trying to do.
>     >
>     >     --
>     >     Petrł
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > Freeipa-users mailing list
>     > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
>     > https://www.redhat.com/mailman/listinfo/freeipa-users
>     >
> 
> 

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to