I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log.
[Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate Thanks, _____________________________________________________ John Moyer Director, IT Operations On Jun 10, 2013, at 9:52 AM, John Moyer <john.mo...@digitalreasoning.com> wrote: > Rob, > > Sorry for the late response I tried the following > > [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class > 2 Certification Authority - ValiCert, Inc." -t CT,, > [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy > Secure Certification Authority - The Go Daddy Group, Inc." -t CT,, > [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA > certutil: certificate is valid > > After this I tried to add a machine and got the same error: > > [root@~]# ipa-client-install --domain=example.com --server=server.example.com > --realm=EXAMPLE.COM -p builduser -w "BLAH" -U > Hostname: server.example.com > Realm: EXAMPLE.COM > DNS Domain: example.com > IPA Server: server.example.com > BaseDN: dc=example,dc=com > > Synchronizing time with KDC... > Joining realm failed: libcurl failed to execute the HTTP POST transaction. > Peer certificate cannot be authenticated with known CA certificates > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > Any additional suggestions? > > > Thanks, > _____________________________________________________ > John Moyer > Director, IT Operations > On May 29, 2013, at 2:09 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > >> John Moyer wrote: >>> Rob, >>> >>> MyIPA I believe was installed by IPA. I did everything you suggested, >>> the below is what it looks like now. >>> >>> >>> -------- >>> certutil -d /etc/httpd/alias -L -h internal >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> MyIPA u,u,u >>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, >>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,, >>> >>> ---------- >>> >>> I'm still getting the following when I try to restart the dirsrv: >>> >>> /etc/init.d/dirsrv restart >>> Shutting down dirsrv: >>> EXAMPLE-COM... [ OK ] >>> PKI-IPA... [ OK ] >>> Starting dirsrv: >>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: >>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of >>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error >>> -8172 - Peer's certificate issuer has been marked as not trusted by the >>> user.) >>> [ OK ] >>> PKI-IPA... [ OK ] >> >> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as >> well. >> >>> >>> I'm also getting the following when I try to add a server to IPA: >>> >>> ipa-client-install --domain=example.com --server=server.example.com >>> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U >>> Hostname: ip-10-133-38-119.ec2.internal >>> Realm: EXAMPLE.COM >>> DNS Domain: example.com >>> IPA Server: server.example.com >>> BaseDN: dc=example,dc=com >>> >>> Synchronizing time with KDC... >>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. >>> Peer certificate cannot be authenticated with known CA certificates >>> >>> Installation failed. Rolling back changes. >>> IPA client is not configured on this system. >> >> The client installer downloads the CA cert from LDAP, so make sure you have >> the GoDaddy CA in LDAP. >> >> rob >> > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
