Rob,
Do you mean doing this? If not let me know.
[root@pki]# ls -la
total 32
drwxr-xr-x 8 root root 4096 Jun 10 20:23 .
drwxr-xr-x 90 root root 4096 Jun 10 18:05 ..
drwxr-xr-x 6 root root 4096 Mar 4 22:22 CA
drwxr-xr-x 2 root root 4096 Jul 11 2012 java
lrwxrwxrwx 1 root root 24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so
drwxr-xr-x 2 root root 4096 Jun 10 18:05 nssdb.orig
drwxr-xr-x 2 root root 4096 Mar 21 15:19 rpm-gpg
drwx------ 2 root root 4096 Feb 22 05:07 rsyslog
drwxr-xr-x 5 root root 4096 Mar 21 15:18 tls
After I did that I tried to enroll this system and got the same error.
The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the
server which is the CA Cert gotten from godaddy. You also had me change this
into a der version of the Cert (using openssl) and jam that into the Directory
server.
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
[email protected]
Office: 703.678.2311
Mobile: 240.460.0023
Fax: 703.678.2312
www.digitalreasoning.com
On Jun 10, 2013, at 4:19 PM, Rob Crittenden <[email protected]> wrote:
> John Moyer wrote:
>> Rob,
>>
>> I think you had me look at that already. This is the output from
>> certutil on that:
>>
>> [root@ ~]# certutil -d /etc/httpd/alias -L
>>
>> Certificate Nickname Trust Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> MyIPA u,u,u
>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>
> What certificate does the client have in /etc/ipa/ca.crt? Is it either one of
> these?
>
> Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to
> enrollment?
>
> rob
>
>>
>>
>>
>> Dmitri,
>>
>> This is the same issue I've been having for a while, other things were
>> wrong before all of them stemmed from putting in the Godaddy signed cert.
>>
>> Thanks,
>> _____________________________________________________
>> John Moyer
>> Director, IT Operations
>>
>> On Jun 10, 2013, at 2:30 PM, Dmitri Pal <[email protected]> wrote:
>>
>>> On 06/10/2013 02:17 PM, John Moyer wrote:
>>>> I don't know if this helps, but this is the log I'm getting from the IPA
>>>> server's apache error log.
>>>>
>>>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not
>>>> recognize and trust the CA that issued your certificate
>>>
>>> Is this the same issue we are discussing on the devel list?
>>> The intermediate CA case?
>>>
>>>>
>>>>
>>>> Thanks,
>>>> _____________________________________________________
>>>> John Moyer
>>>> Director, IT Operations
>>>> On Jun 10, 2013, at 9:52 AM, John Moyer <[email protected]>
>>>> wrote:
>>>>
>>>>> Rob,
>>>>>
>>>>> Sorry for the late response I tried the following
>>>>>
>>>>> [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy
>>>>> Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>>>> [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy
>>>>> Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>>>>> [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>>>>> certutil: certificate is valid
>>>>>
>>>>> After this I tried to add a machine and got the same error:
>>>>>
>>>>> [root@~]# ipa-client-install --domain=example.com
>>>>> --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>> Hostname: server.example.com
>>>>> Realm: EXAMPLE.COM
>>>>> DNS Domain: example.com
>>>>> IPA Server: server.example.com
>>>>> BaseDN: dc=example,dc=com
>>>>>
>>>>> Synchronizing time with KDC...
>>>>> Joining realm failed: libcurl failed to execute the HTTP POST
>>>>> transaction. Peer certificate cannot be authenticated with known CA
>>>>> certificates
>>>>>
>>>>> Installation failed. Rolling back changes.
>>>>> IPA client is not configured on this system.
>>>>>
>>>>> Any additional suggestions?
>>>>>
>>>>>
>>>>> Thanks,
>>>>> _____________________________________________________
>>>>> John Moyer
>>>>> Director, IT Operations
>>>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <[email protected]> wrote:
>>>>>
>>>>>> John Moyer wrote:
>>>>>>> Rob,
>>>>>>>
>>>>>>> MyIPA I believe was installed by IPA. I did everything you
>>>>>>> suggested, the below is what it looks like now.
>>>>>>>
>>>>>>>
>>>>>>> --------
>>>>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>>>>
>>>>>>> Certificate Nickname Trust
>>>>>>> Attributes
>>>>>>>
>>>>>>> SSL,S/MIME,JAR/XPI
>>>>>>>
>>>>>>> MyIPA u,u,u
>>>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
>>>>>>>
>>>>>>> ----------
>>>>>>>
>>>>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>>>>
>>>>>>> /etc/init.d/dirsrv restart
>>>>>>> Shutting down dirsrv:
>>>>>>> EXAMPLE-COM... [ OK ]
>>>>>>> PKI-IPA... [ OK ]
>>>>>>> Starting dirsrv:
>>>>>>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert:
>>>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of
>>>>>>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
>>>>>>> -8172 - Peer's certificate issuer has been marked as not trusted by the
>>>>>>> user.)
>>>>>>> [ OK ]
>>>>>>> PKI-IPA... [ OK ]
>>>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as
>>>>>> well.
>>>>>>
>>>>>>> I'm also getting the following when I try to add a server to IPA:
>>>>>>>
>>>>>>> ipa-client-install --domain=example.com --server=server.example.com
>>>>>>> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>>>>> Realm: EXAMPLE.COM
>>>>>>> DNS Domain: example.com
>>>>>>> IPA Server: server.example.com
>>>>>>> BaseDN: dc=example,dc=com
>>>>>>>
>>>>>>> Synchronizing time with KDC...
>>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST
>>>>>>> transaction. Peer certificate cannot be authenticated with known CA
>>>>>>> certificates
>>>>>>>
>>>>>>> Installation failed. Rolling back changes.
>>>>>>> IPA client is not configured on this system.
>>>>>> The client installer downloads the CA cert from LDAP, so make sure you
>>>>>> have the GoDaddy CA in LDAP.
>>>>>>
>>>>>> rob
>>>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> [email protected]
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio
>>> Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> [email protected]
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> [email protected]
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
