On 05/23/2013 05:10 PM, John Moyer wrote:
> I tried what you suggested on the client, and that did not work. I
> copied my cert over those two files you suggested that was easy. However, is
> there a more manually way to change that LDAP setting you are talking about.
> The LDAP server is not letting me in because of the cert error. Like I see
> some settings in /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif can I manipulate
> those to match the new SSL cert nickname that is used in NSS for the Godaddy
> cert? or to turn off SSL so I can manipulate it?
I think if you run ldapmodify as a directory manager on the server
machine using ldapi you would be able to bypass the cert check.
> John Moyer
> Director, IT Operations
> Digital Reasoning Systems, Inc
> On May 23, 2013, at 4:20 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>> John Moyer wrote:
>>> Here are the corresponding answers, thanks for the quick response.
>>> 1. ipa-client-3.0.0-26.el6_4.2.x86_64
>>> [root@ ~]# ipa-client-install --domain=digitalreasoning.com
>>> <http://digitalreasoning.com> --server=ipa1.corp.digitalreasoning.com
>>> <http://ipa1.corp.digitalreasoning.com> --realm=EXAMPLE.COM
>>> <http://EXAMPLE.COM> -p builduser -w "BLAH" -U
>>> Hostname: client.example.com <http://client.example.com>
>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
>>> DNS Domain: example.com <http://example.com>
>>> IPA Server: server.example.com <http://server.example.com>
>>> BaseDN: dc=example,dc=com
>>> Synchronizing time with KDC...
>>> Joining realm failed: libcurl failed to execute the HTTP POST
>>> transaction. Peer certificate cannot be authenticated with known CA
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>> 2013-05-23T17:45:16Z DEBUG args=kinit buildu...@example.com
>>> 2013-05-23T17:45:16Z DEBUG stdout=Password for buildu...@example.com
>>> 2013-05-23T17:45:16Z DEBUG stderr=
>>> 2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from
>>> 2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are
>>> 2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com
>>> <http://server.example.com> -b dc=example,dc=com
>>> 2013-05-23T17:45:16Z DEBUG stdout=
>>> 2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP
>>> POST transaction. Peer certificate cannot be authenticated with known
>>> CA certificates
>>> 2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to
>>> execute the HTTP POST transaction. Peer certificate cannot be
>>> authenticated with known CA certificates
>>> 2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
>>> 2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.
>> You need to put the Go Daddy CA cert into LDAP in
>> cn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificate attribute.
>> And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.
>> It looks like this isn't being done automatically by ipa-server-certinstall.
>> I opened https://fedorahosted.org/freeipa/ticket/3641
>> A quick fix would be to try this on the client machine before trying
>> # cd /etc/pki/nssdb/
>> # ln -s /usr/lib64/nss/libnssckbi.so .
>> (or lib if a 32-bit machine)
>> That will add the global bundle to the NSS database. Then re-try the
>> enrollment, it may work.
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list