On 05/23/2013 05:10 PM, John Moyer wrote: > Rob, > > I tried what you suggested on the client, and that did not work. I > copied my cert over those two files you suggested that was easy. However, is > there a more manually way to change that LDAP setting you are talking about. > The LDAP server is not letting me in because of the cert error. Like I see > some settings in /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif can I manipulate > those to match the new SSL cert nickname that is used in NSS for the Godaddy > cert? or to turn off SSL so I can manipulate it?
I think if you run ldapmodify as a directory manager on the server machine using ldapi you would be able to bypass the cert check. > > > > Thanks, > _____________________________________________________ > John Moyer > Director, IT Operations > Digital Reasoning Systems, Inc > > On May 23, 2013, at 4:20 PM, Rob Crittenden <[email protected]> wrote: > >> John Moyer wrote: >>> Dmitri, >>> >>> Here are the corresponding answers, thanks for the quick response. >>> >>> >>> 1. ipa-client-3.0.0-26.el6_4.2.x86_64 >>> 2. >>> [root@ ~]# ipa-client-install --domain=digitalreasoning.com >>> <http://digitalreasoning.com> --server=ipa1.corp.digitalreasoning.com >>> <http://ipa1.corp.digitalreasoning.com> --realm=EXAMPLE.COM >>> <http://EXAMPLE.COM> -p builduser -w "BLAH" -U >>> Hostname: client.example.com <http://client.example.com> >>> Realm: EXAMPLE.COM <http://EXAMPLE.COM> >>> DNS Domain: example.com <http://example.com> >>> IPA Server: server.example.com <http://server.example.com> >>> BaseDN: dc=example,dc=com >>> >>> Synchronizing time with KDC... >>> Joining realm failed: libcurl failed to execute the HTTP POST >>> transaction. Peer certificate cannot be authenticated with known CA >>> certificates >>> >>> Installation failed. Rolling back changes. >>> IPA client is not configured on this system. >>> >>> 3. >>> 2013-05-23T17:45:16Z DEBUG args=kinit [email protected] >>> <mailto:[email protected]> >>> 2013-05-23T17:45:16Z DEBUG stdout=Password for [email protected] >>> <mailto:[email protected]>: >>> >>> 2013-05-23T17:45:16Z DEBUG stderr= >>> 2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from >>> ldap://server.example.com >>> 2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are >>> identical >>> 2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com >>> <http://server.example.com> -b dc=example,dc=com >>> 2013-05-23T17:45:16Z DEBUG stdout= >>> 2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP >>> POST transaction. Peer certificate cannot be authenticated with known >>> CA certificates >>> >>> 2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to >>> execute the HTTP POST transaction. Peer certificate cannot be >>> authenticated with known CA certificates >>> >>> 2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes. >>> 2013-05-23T17:45:16Z ERROR IPA client is not configured on this system. >> You need to put the Go Daddy CA cert into LDAP in >> cn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificate attribute. >> And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt. >> >> It looks like this isn't being done automatically by ipa-server-certinstall. >> I opened https://fedorahosted.org/freeipa/ticket/3641 >> >> A quick fix would be to try this on the client machine before trying >> enrollment: >> >> # cd /etc/pki/nssdb/ >> # ln -s /usr/lib64/nss/libnssckbi.so . >> >> (or lib if a 32-bit machine) >> >> That will add the global bundle to the NSS database. Then re-try the >> enrollment, it may work. >> >> rob -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
