Rob, 

        MyIPA I believe was installed by IPA.  I did everything you suggested, 
the below is what it looks like now.   


--------
certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

MyIPA                                                        u,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,

----------

I'm still getting the following when I try to restart the dirsrv:  

/etc/init.d/dirsrv restart
Shutting down dirsrv:
    EXAMPLE-COM...                                [  OK  ]
    PKI-IPA...                                             [  OK  ]
Starting dirsrv:
    EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's 
certificate issuer has been marked as not trusted by the user.)
                                                           [  OK  ]
    PKI-IPA...                                             [  OK  ]


I'm also getting the following when I  try to add a server to IPA: 

ipa-client-install --domain=example.com --server=server.example.com 
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: ip-10-133-38-119.ec2.internal
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.


Thanks, 
_____________________________________________________
John Moyer
Director, IT Operations





On May 29, 2013, at 12:20 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> John Moyer wrote:
>> John,
>> 
>>      I see the following when I ran that first command.
>> 
>> sudo certutil -d /etc/httpd/alias -L -h internal
>> 
>> Certificate Nickname                                         Trust Attributes
>>                                                              
>> SSL,S/MIME,JAR/XPI
>> 
>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    ,,
>> MyIPA                                                        CTu,Cu,u
>> 
>> 
>> So being that I have no fear (or am just real dumb, I really feel it's just 
>> both) I used that command and got this error after hitting enter to continue:
>> 
>> sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias
>> 
>> WARNING: Performing this operation while the browser is running could cause
>> corruption of your security databases. If the browser is currently running,
>> you should exit browser before continuing this operation. Type
>> 'q <enter>' to abort, or <enter> to continue:
>> 
>> ERROR: Failed to add module "ca_certs". Probable cause : "Unknown PKCS #11 
>> error.".
>> 
>> I then did the first command again (to see what I messed up) and it looks 
>> identical as shown below:
>> 
>> sudo certutil -d /etc/httpd/alias -L -h internal
>> 
>> Certificate Nickname                                         Trust Attributes
>>                                                              
>> SSL,S/MIME,JAR/XPI
>> 
>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    ,,
>> MyIPA                                                        CTu,Cu,u
> 
> These trust flags look really strange.
> 
> What is MyIPA, is that your server certificate? It should have a trust of 
> u,u,u if it is: certutil -M -d /etc/httpd/alias -n MyIPA -t u,u,u
> 
> The other two are clearly CAs and should be trusted as so. For each one I'd 
> do:
> 
> certutil -M -d /etc/httpd/alias -n 'nickname' -t CT,,
> 
> You can test the trust with:
> 
> certutil -V -u V -d /etc/httpd/alias -n MyIPA
> 
> I'm guessing that you'll need to do something similar in 
> /etc/dirsrv/slapd-YOUR-INSTANCE.
> 
> rob


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to