John Moyer wrote:
So I did that, and it executed perfectly (went back and checked that it did
indeed replace the value as expected). I got on the machine I was trying to
add and got this:
root@ ~]# ipa-client-install --domain=example.com --server=server.example.com
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: blah.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
The CA cert available from the IPA server does not match the
local certificate available at /etc/ipa/ca.crt
Existing CA cert:
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Wed Mar 02 18:52:05 2013 UTC
Valid Until: Sun Mar 02 18:52:05 2033 UTC
Retrieved CA cert:
Subject: CN=*.example.com,OU=Domain Control Validated,O=*.example.com
Issuer: serialNumber=07969287,CN=Go Daddy Secure Certification
Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
Valid From: Thu Dec 01 14:57:49 2011 UTC
Valid Until: Sun Dec 01 14:57:49 2013 UTC
Cannot obtain CA certificate
'ldap://server.example.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Then I tried to change the local machine's /etc/ipa/ca.crt to match the server.
I then got this:
Next time you can just remove /etc/ipa/ca.crt. The client will fetch an
updated one. This is fixed upstream.
[root@]# ipa-client-install --domain=example.com --server=server.example.com
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: blah.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.
Peer certificate cannot be authenticated with known CA certificates
Installation failed. Rolling back changes.
IPA client is not configured on this system.
You replace the web server cert as well, right? And restarted Apache?
rob
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On May 24, 2013, at 3:11 PM, Rob Crittenden <[email protected]> wrote:
John Moyer wrote:
So unfortunately a rebuild would be less than optimal for me, lots of servers
and users. So I've tried Dmitri's idea of ldapi and I got the access to LDAP
now, however I may be going about this entire thing wrong. I created an LDIF
file that looks like this:
dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
changetype: modify
replace: cacert
cacert: NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH
Then I ran the following:
ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D "cn=Directory
Manager" -W -f /root/change-settings.ldif
and I get the following error:
Enter LDAP Password:
modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com"
ldap_modify: Object class violation (65)
additional info: attribute "cacert" not allowed
The attribute you want is caCertificate. What you need to do is convert your CA
cert from PEM format to DER:
openssl x509 -in /etc/ipa/ca.crt -out /tmp/ca.der -outform DER
Then use this ldif:
dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
changetype: modify
replace: cacertificate;binary
cacertificate;binary:< file:///tmp/ca.der
That should do it.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
