On 05/23/2013 05:10 PM, John Moyer wrote:
> Rob, 
>
>       I tried what you suggested on the client, and that did not work.   I 
> copied my cert over those two files you suggested that was easy.  However, is 
> there a more manually way to change that LDAP setting you are talking about.  
> The LDAP server is not letting me in because of the cert error.   Like I see 
> some settings in /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif can I manipulate 
> those to match the new SSL cert nickname that is used in NSS for the Godaddy 
> cert? or to turn off SSL so I can manipulate it? 

I think if you run ldapmodify as a directory manager on the server
machine using ldapi you would be able to bypass the cert check.

>
>
>
> Thanks, 
> _____________________________________________________
> John Moyer
> Director, IT Operations
> Digital Reasoning Systems, Inc
>
> On May 23, 2013, at 4:20 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>
>> John Moyer wrote:
>>> Dmitri,
>>>
>>> Here are the corresponding answers, thanks for the quick response.
>>>
>>>
>>> 1. ipa-client-3.0.0-26.el6_4.2.x86_64
>>> 2.
>>> [root@ ~]# ipa-client-install --domain=digitalreasoning.com
>>> <http://digitalreasoning.com> --server=ipa1.corp.digitalreasoning.com
>>> <http://ipa1.corp.digitalreasoning.com> --realm=EXAMPLE.COM
>>> <http://EXAMPLE.COM> -p builduser -w "BLAH" -U
>>> Hostname: client.example.com <http://client.example.com>
>>> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
>>> DNS Domain: example.com <http://example.com>
>>> IPA Server: server.example.com <http://server.example.com>
>>> BaseDN: dc=example,dc=com
>>>
>>> Synchronizing time with KDC...
>>> Joining realm failed: libcurl failed to execute the HTTP POST
>>> transaction.  Peer certificate cannot be authenticated with known CA
>>> certificates
>>>
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>>
>>> 3.
>>> 2013-05-23T17:45:16Z DEBUG args=kinit buildu...@example.com
>>> <mailto:buildu...@example.com>
>>> 2013-05-23T17:45:16Z DEBUG stdout=Password for buildu...@example.com
>>> <mailto:buildu...@example.com>:
>>>
>>> 2013-05-23T17:45:16Z DEBUG stderr=
>>> 2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from
>>> ldap://server.example.com
>>> 2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are
>>> identical
>>> 2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com
>>> <http://server.example.com> -b dc=example,dc=com
>>> 2013-05-23T17:45:16Z DEBUG stdout=
>>> 2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP
>>> POST transaction.  Peer certificate cannot be authenticated with known
>>> CA certificates
>>>
>>> 2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to
>>> execute the HTTP POST transaction.  Peer certificate cannot be
>>> authenticated with known CA certificates
>>>
>>> 2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
>>> 2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.
>> You need to put the Go Daddy CA cert into LDAP in 
>> cn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificate attribute. 
>> And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.
>>
>> It looks like this isn't being done automatically by ipa-server-certinstall. 
>> I opened https://fedorahosted.org/freeipa/ticket/3641
>>
>> A quick fix would be to try this on the client machine before trying 
>> enrollment:
>>
>> # cd /etc/pki/nssdb/
>> # ln -s /usr/lib64/nss/libnssckbi.so .
>>
>> (or lib if a 32-bit machine)
>>
>> That will add the global bundle to the NSS database. Then re-try the 
>> enrollment, it may work.
>>
>> rob


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to