John Moyer wrote:
I don't know if this helps, but this is the log I'm getting from the IPA 
server's apache error log.

[Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not 
recognize and trust the CA that issued your certificate

Apache has its own certificate database in /etc/httpd/alias. Perhaps try the same commands against it.

rob



Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On Jun 10, 2013, at 9:52 AM, John Moyer <john.mo...@digitalreasoning.com> wrote:

Rob,

        Sorry for the late response I tried the following

[root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 
Certification Authority - ValiCert, Inc." -t CT,,
[root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure 
Certification Authority - The Go Daddy Group, Inc." -t CT,,
[root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
certutil: certificate is valid

After this I tried to add a machine and got the same error:

[root@~]# ipa-client-install --domain=example.com --server=server.example.com 
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Any additional suggestions?


Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On May 29, 2013, at 2:09 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

John Moyer wrote:
Rob,

        MyIPA I believe was installed by IPA.  I did everything you suggested, 
the below is what it looks like now.


--------
certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

MyIPA                                                        u,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,

----------

I'm still getting the following when I try to restart the dirsrv:

/etc/init.d/dirsrv restart
Shutting down dirsrv:
    EXAMPLE-COM...                                [  OK  ]
    PKI-IPA...                                             [  OK  ]
Starting dirsrv:
    EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's 
certificate issuer has been marked as not trusted by the user.)
                                                           [  OK  ]
    PKI-IPA...                                             [  OK  ]

You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.


I'm also getting the following when I  try to add a server to IPA:

ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM 
-p builduser -w "BLAH" -U
Hostname: ip-10-133-38-119.ec2.internal
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

The client installer downloads the CA cert from LDAP, so make sure you have the 
GoDaddy CA in LDAP.

rob




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to