Rob, 

        I tried what you suggested on the client, and that did not work.   I 
copied my cert over those two files you suggested that was easy.  However, is 
there a more manually way to change that LDAP setting you are talking about.  
The LDAP server is not letting me in because of the cert error.   Like I see 
some settings in /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif can I manipulate those 
to match the new SSL cert nickname that is used in NSS for the Godaddy cert? or 
to turn off SSL so I can manipulate it? 



Thanks, 
_____________________________________________________
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc

On May 23, 2013, at 4:20 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> John Moyer wrote:
>> Dmitri,
>> 
>> Here are the corresponding answers, thanks for the quick response.
>> 
>> 
>> 1. ipa-client-3.0.0-26.el6_4.2.x86_64
>> 2.
>> [root@ ~]# ipa-client-install --domain=digitalreasoning.com
>> <http://digitalreasoning.com> --server=ipa1.corp.digitalreasoning.com
>> <http://ipa1.corp.digitalreasoning.com> --realm=EXAMPLE.COM
>> <http://EXAMPLE.COM> -p builduser -w "BLAH" -U
>> Hostname: client.example.com <http://client.example.com>
>> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
>> DNS Domain: example.com <http://example.com>
>> IPA Server: server.example.com <http://server.example.com>
>> BaseDN: dc=example,dc=com
>> 
>> Synchronizing time with KDC...
>> Joining realm failed: libcurl failed to execute the HTTP POST
>> transaction.  Peer certificate cannot be authenticated with known CA
>> certificates
>> 
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>> 
>> 3.
>> 2013-05-23T17:45:16Z DEBUG args=kinit buildu...@example.com
>> <mailto:buildu...@example.com>
>> 2013-05-23T17:45:16Z DEBUG stdout=Password for buildu...@example.com
>> <mailto:buildu...@example.com>:
>> 
>> 2013-05-23T17:45:16Z DEBUG stderr=
>> 2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from
>> ldap://server.example.com
>> 2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are
>> identical
>> 2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com
>> <http://server.example.com> -b dc=example,dc=com
>> 2013-05-23T17:45:16Z DEBUG stdout=
>> 2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP
>> POST transaction.  Peer certificate cannot be authenticated with known
>> CA certificates
>> 
>> 2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to
>> execute the HTTP POST transaction.  Peer certificate cannot be
>> authenticated with known CA certificates
>> 
>> 2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
>> 2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.
> 
> You need to put the Go Daddy CA cert into LDAP in 
> cn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificate attribute. 
> And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.
> 
> It looks like this isn't being done automatically by ipa-server-certinstall. 
> I opened https://fedorahosted.org/freeipa/ticket/3641
> 
> A quick fix would be to try this on the client machine before trying 
> enrollment:
> 
> # cd /etc/pki/nssdb/
> # ln -s /usr/lib64/nss/libnssckbi.so .
> 
> (or lib if a 32-bit machine)
> 
> That will add the global bundle to the NSS database. Then re-try the 
> enrollment, it may work.
> 
> rob


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to