Rob, 

        Do you mean doing this?  If not let me know. 

[root@pki]# ls -la
total 32
drwxr-xr-x  8 root root 4096 Jun 10 20:23 .
drwxr-xr-x 90 root root 4096 Jun 10 18:05 ..
drwxr-xr-x  6 root root 4096 Mar  4 22:22 CA
drwxr-xr-x  2 root root 4096 Jul 11  2012 java
lrwxrwxrwx  1 root root   24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so
drwxr-xr-x  2 root root 4096 Jun 10 18:05 nssdb.orig
drwxr-xr-x  2 root root 4096 Mar 21 15:19 rpm-gpg
drwx------  2 root root 4096 Feb 22 05:07 rsyslog
drwxr-xr-x  5 root root 4096 Mar 21 15:18 tls

After I did that I tried to enroll this system and got the same error.

The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the 
server which is the CA Cert gotten from godaddy.   You also had me change this 
into a der version of the Cert (using openssl) and jam that into the Directory 
server.


Thanks, 
_____________________________________________________
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
john.mo...@digitalreasoning.com
Office: 703.678.2311
Mobile: 240.460.0023
Fax:            703.678.2312
www.digitalreasoning.com

On Jun 10, 2013, at 4:19 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> John Moyer wrote:
>> Rob,
>> 
>>      I think you had me look at that already.   This is the output from 
>> certutil on that:
>> 
>> [root@ ~]# certutil -d /etc/httpd/alias -L
>> 
>> Certificate Nickname                                         Trust Attributes
>>                                                              
>> SSL,S/MIME,JAR/XPI
>> 
>> MyIPA                                                        u,u,u
>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,
> 
> What certificate does the client have in /etc/ipa/ca.crt? Is it either one of 
> these?
> 
> Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to 
> enrollment?
> 
> rob
> 
>> 
>> 
>> 
>> Dmitri,
>> 
>>      This is the same issue I've been having for a while, other things were 
>> wrong before all of them stemmed from putting in the Godaddy signed cert.
>> 
>> Thanks,
>> _____________________________________________________
>> John Moyer
>> Director, IT Operations
>> 
>> On Jun 10, 2013, at 2:30 PM, Dmitri Pal <d...@redhat.com> wrote:
>> 
>>> On 06/10/2013 02:17 PM, John Moyer wrote:
>>>> I don't know if this helps, but this is the log I'm getting from the IPA 
>>>> server's apache error log.
>>>> 
>>>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not 
>>>> recognize and trust the CA that issued your certificate
>>> 
>>> Is this the same issue we are discussing on the devel list?
>>> The intermediate CA case?
>>> 
>>>> 
>>>> 
>>>> Thanks,
>>>> _____________________________________________________
>>>> John Moyer
>>>> Director, IT Operations
>>>> On Jun 10, 2013, at 9:52 AM, John Moyer <john.mo...@digitalreasoning.com> 
>>>> wrote:
>>>> 
>>>>> Rob,
>>>>> 
>>>>>   Sorry for the late response I tried the following
>>>>> 
>>>>> [root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy 
>>>>> Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>>>> [root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy 
>>>>> Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>>>>> [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>>>>> certutil: certificate is valid
>>>>> 
>>>>> After this I tried to add a machine and got the same error:
>>>>> 
>>>>> [root@~]# ipa-client-install --domain=example.com 
>>>>> --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>> Hostname: server.example.com
>>>>> Realm: EXAMPLE.COM
>>>>> DNS Domain: example.com
>>>>> IPA Server: server.example.com
>>>>> BaseDN: dc=example,dc=com
>>>>> 
>>>>> Synchronizing time with KDC...
>>>>> Joining realm failed: libcurl failed to execute the HTTP POST 
>>>>> transaction.  Peer certificate cannot be authenticated with known CA 
>>>>> certificates
>>>>> 
>>>>> Installation failed. Rolling back changes.
>>>>> IPA client is not configured on this system.
>>>>> 
>>>>> Any additional suggestions?
>>>>> 
>>>>> 
>>>>> Thanks,
>>>>> _____________________________________________________
>>>>> John Moyer
>>>>> Director, IT Operations
>>>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>>>>> 
>>>>>> John Moyer wrote:
>>>>>>> Rob,
>>>>>>> 
>>>>>>>         MyIPA I believe was installed by IPA.  I did everything you 
>>>>>>> suggested, the below is what it looks like now.
>>>>>>> 
>>>>>>> 
>>>>>>> --------
>>>>>>> certutil -d /etc/httpd/alias -L -h internal
>>>>>>> 
>>>>>>> Certificate Nickname                                         Trust 
>>>>>>> Attributes
>>>>>>>                                                            
>>>>>>> SSL,S/MIME,JAR/XPI
>>>>>>> 
>>>>>>> MyIPA                                                        u,u,u
>>>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    CT,,
>>>>>>> 
>>>>>>> ----------
>>>>>>> 
>>>>>>> I'm still getting the following when I try to restart the dirsrv:
>>>>>>> 
>>>>>>> /etc/init.d/dirsrv restart
>>>>>>> Shutting down dirsrv:
>>>>>>>   EXAMPLE-COM...                                [  OK  ]
>>>>>>>   PKI-IPA...                                             [  OK  ]
>>>>>>> Starting dirsrv:
>>>>>>>   EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: 
>>>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of 
>>>>>>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error 
>>>>>>> -8172 - Peer's certificate issuer has been marked as not trusted by the 
>>>>>>> user.)
>>>>>>>                                                          [  OK  ]
>>>>>>>   PKI-IPA...                                             [  OK  ]
>>>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as 
>>>>>> well.
>>>>>> 
>>>>>>> I'm also getting the following when I  try to add a server to IPA:
>>>>>>> 
>>>>>>> ipa-client-install --domain=example.com --server=server.example.com 
>>>>>>> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>>>>>> Hostname: ip-10-133-38-119.ec2.internal
>>>>>>> Realm: EXAMPLE.COM
>>>>>>> DNS Domain: example.com
>>>>>>> IPA Server: server.example.com
>>>>>>> BaseDN: dc=example,dc=com
>>>>>>> 
>>>>>>> Synchronizing time with KDC...
>>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST 
>>>>>>> transaction.  Peer certificate cannot be authenticated with known CA 
>>>>>>> certificates
>>>>>>> 
>>>>>>> Installation failed. Rolling back changes.
>>>>>>> IPA client is not configured on this system.
>>>>>> The client installer downloads the CA cert from LDAP, so make sure you 
>>>>>> have the GoDaddy CA in LDAP.
>>>>>> 
>>>>>> rob
>>>>>> 
>>>> 
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> 
>>> 
>>> --
>>> Thank you,
>>> Dmitri Pal
>>> 
>>> Sr. Engineering Manager for IdM portfolio
>>> Red Hat Inc.
>>> 
>>> 
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
> 


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to