John Moyer wrote:
Rob,
I think you had me look at that already. This is the output from
certutil on that:
[root@ ~]# certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
MyIPA u,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
What certificate does the client have in /etc/ipa/ca.crt? Is it either
one of these?
Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior
to enrollment?
rob
Dmitri,
This is the same issue I've been having for a while, other things were
wrong before all of them stemmed from putting in the Godaddy signed cert.
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On Jun 10, 2013, at 2:30 PM, Dmitri Pal <[email protected]> wrote:
On 06/10/2013 02:17 PM, John Moyer wrote:
I don't know if this helps, but this is the log I'm getting from the IPA
server's apache error log.
[Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not
recognize and trust the CA that issued your certificate
Is this the same issue we are discussing on the devel list?
The intermediate CA case?
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On Jun 10, 2013, at 9:52 AM, John Moyer <[email protected]> wrote:
Rob,
Sorry for the late response I tried the following
[root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2
Certification Authority - ValiCert, Inc." -t CT,,
[root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure
Certification Authority - The Go Daddy Group, Inc." -t CT,,
[root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
certutil: certificate is valid
After this I tried to add a machine and got the same error:
[root@~]# ipa-client-install --domain=example.com --server=server.example.com
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.
Peer certificate cannot be authenticated with known CA certificates
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Any additional suggestions?
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On May 29, 2013, at 2:09 PM, Rob Crittenden <[email protected]> wrote:
John Moyer wrote:
Rob,
MyIPA I believe was installed by IPA. I did everything you suggested,
the below is what it looks like now.
--------
certutil -d /etc/httpd/alias -L -h internal
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
MyIPA u,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
----------
I'm still getting the following when I try to restart the dirsrv:
/etc/init.d/dirsrv restart
Shutting down dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
Starting dirsrv:
EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's
certificate issuer has been marked as not trusted by the user.)
[ OK ]
PKI-IPA... [ OK ]
You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
I'm also getting the following when I try to add a server to IPA:
ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM
-p builduser -w "BLAH" -U
Hostname: ip-10-133-38-119.ec2.internal
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.
Peer certificate cannot be authenticated with known CA certificates
Installation failed. Rolling back changes.
IPA client is not configured on this system.
The client installer downloads the CA cert from LDAP, so make sure you have the
GoDaddy CA in LDAP.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
