On 06/10/2013 02:17 PM, John Moyer wrote: > I don't know if this helps, but this is the log I'm getting from the IPA > server's apache error log. > > [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not > recognize and trust the CA that issued your certificate
Is this the same issue we are discussing on the devel list? The intermediate CA case? > > > Thanks, > _____________________________________________________ > John Moyer > Director, IT Operations > On Jun 10, 2013, at 9:52 AM, John Moyer <john.mo...@digitalreasoning.com> > wrote: > >> Rob, >> >> Sorry for the late response I tried the following >> >> [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy >> Class 2 Certification Authority - ValiCert, Inc." -t CT,, >> [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy >> Secure Certification Authority - The Go Daddy Group, Inc." -t CT,, >> [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA >> certutil: certificate is valid >> >> After this I tried to add a machine and got the same error: >> >> [root@~]# ipa-client-install --domain=example.com >> --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U >> Hostname: server.example.com >> Realm: EXAMPLE.COM >> DNS Domain: example.com >> IPA Server: server.example.com >> BaseDN: dc=example,dc=com >> >> Synchronizing time with KDC... >> Joining realm failed: libcurl failed to execute the HTTP POST transaction. >> Peer certificate cannot be authenticated with known CA certificates >> >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> >> Any additional suggestions? >> >> >> Thanks, >> _____________________________________________________ >> John Moyer >> Director, IT Operations >> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcrit...@redhat.com> wrote: >> >>> John Moyer wrote: >>>> Rob, >>>> >>>> MyIPA I believe was installed by IPA. I did everything you suggested, >>>> the below is what it looks like now. >>>> >>>> >>>> -------- >>>> certutil -d /etc/httpd/alias -L -h internal >>>> >>>> Certificate Nickname Trust >>>> Attributes >>>> >>>> SSL,S/MIME,JAR/XPI >>>> >>>> MyIPA u,u,u >>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, >>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,, >>>> >>>> ---------- >>>> >>>> I'm still getting the following when I try to restart the dirsrv: >>>> >>>> /etc/init.d/dirsrv restart >>>> Shutting down dirsrv: >>>> EXAMPLE-COM... [ OK ] >>>> PKI-IPA... [ OK ] >>>> Starting dirsrv: >>>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: >>>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of >>>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error >>>> -8172 - Peer's certificate issuer has been marked as not trusted by the >>>> user.) >>>> [ OK ] >>>> PKI-IPA... [ OK ] >>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as >>> well. >>> >>>> I'm also getting the following when I try to add a server to IPA: >>>> >>>> ipa-client-install --domain=example.com --server=server.example.com >>>> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U >>>> Hostname: ip-10-133-38-119.ec2.internal >>>> Realm: EXAMPLE.COM >>>> DNS Domain: example.com >>>> IPA Server: server.example.com >>>> BaseDN: dc=example,dc=com >>>> >>>> Synchronizing time with KDC... >>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. >>>> Peer certificate cannot be authenticated with known CA certificates >>>> >>>> Installation failed. Rolling back changes. >>>> IPA client is not configured on this system. >>> The client installer downloads the CA cert from LDAP, so make sure you have >>> the GoDaddy CA in LDAP. >>> >>> rob >>> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users