So this is what I did and how it went afterwards: [root@nssdb]# ln -s /usr/lib64/libnssckbi.so libnssckbi.so [root@nssdb]# ls -la total 132 drwxr-xr-x 2 root root 4096 Jun 11 13:50 . drwxr-xr-x 8 root root 4096 Jun 11 13:50 .. -rw-r--r-- 1 root root 65536 Jan 12 2010 cert8.db -rw-r--r-- 1 root root 9216 Jan 12 2010 cert9.db -rw-r--r-- 1 root root 16384 Jan 12 2010 key3.db -rw-r--r-- 1 root root 11264 Jan 12 2010 key4.db lrwxrwxrwx 1 root root 24 Jun 11 13:50 libnssckbi.so -> /usr/lib64/libnssckbi.so -rw-r--r-- 1 root root 451 Jan 10 02:13 pkcs11.txt -rw-r--r-- 1 root root 16384 Jan 12 2010 secmod.db [root@nssdb]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "blah" -U Hostname: server.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com
Synchronizing time with KDC... Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates Installation failed. Rolling back changes. IPA client is not configured on this system. [root@ nssdb]# Thanks, _____________________________________________________ John Moyer Director, IT Operations On Jun 10, 2013, at 4:42 PM, Rob Crittenden <[email protected]> wrote: > John Moyer wrote: >> Rob, >> >> Do you mean doing this? If not let me know. >> >> [root@pki]# ls -la >> total 32 >> drwxr-xr-x 8 root root 4096 Jun 10 20:23 . >> drwxr-xr-x 90 root root 4096 Jun 10 18:05 .. >> drwxr-xr-x 6 root root 4096 Mar 4 22:22 CA >> drwxr-xr-x 2 root root 4096 Jul 11 2012 java >> lrwxrwxrwx 1 root root 24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so >> drwxr-xr-x 2 root root 4096 Jun 10 18:05 nssdb.orig >> drwxr-xr-x 2 root root 4096 Mar 21 15:19 rpm-gpg >> drwx------ 2 root root 4096 Feb 22 05:07 rsyslog >> drwxr-xr-x 5 root root 4096 Mar 21 15:18 tls > > No, you need to link the shared library into the nssdb directory. nssdb > should contain 3 db files, cert8, key3 and secmod. This is the common NSS db > that the client uses. > >> After I did that I tried to enroll this system and got the same error. >> >> The cert that is in the /etc/ipa/ca.crt is the same as the one that is on >> the server which is the CA Cert gotten from godaddy. You also had me >> change this into a der version of the Cert (using openssl) and jam that into >> the Directory server. > > Right but which one, there are two. > > rob > >> >> >> Thanks, >> _____________________________________________________ >> John Moyer >> Director, IT Operations >> Digital Reasoning Systems, Inc. >> [email protected] >> Office: 703.678.2311 >> Mobile: 240.460.0023 >> Fax: 703.678.2312 >> www.digitalreasoning.com >> >> On Jun 10, 2013, at 4:19 PM, Rob Crittenden <[email protected]> wrote: >> >>> John Moyer wrote: >>>> Rob, >>>> >>>> I think you had me look at that already. This is the output from >>>> certutil on that: >>>> >>>> [root@ ~]# certutil -d /etc/httpd/alias -L >>>> >>>> Certificate Nickname Trust >>>> Attributes >>>> >>>> SSL,S/MIME,JAR/XPI >>>> >>>> MyIPA u,u,u >>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, >>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,, >>> >>> What certificate does the client have in /etc/ipa/ca.crt? Is it either one >>> of these? >>> >>> Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to >>> enrollment? >>> >>> rob >>> >>>> >>>> >>>> >>>> Dmitri, >>>> >>>> This is the same issue I've been having for a while, other things were >>>> wrong before all of them stemmed from putting in the Godaddy signed cert. >>>> >>>> Thanks, >>>> _____________________________________________________ >>>> John Moyer >>>> Director, IT Operations >>>> >>>> On Jun 10, 2013, at 2:30 PM, Dmitri Pal <[email protected]> wrote: >>>> >>>>> On 06/10/2013 02:17 PM, John Moyer wrote: >>>>>> I don't know if this helps, but this is the log I'm getting from the IPA >>>>>> server's apache error log. >>>>>> >>>>>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does >>>>>> not recognize and trust the CA that issued your certificate >>>>> >>>>> Is this the same issue we are discussing on the devel list? >>>>> The intermediate CA case? >>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> _____________________________________________________ >>>>>> John Moyer >>>>>> Director, IT Operations >>>>>> On Jun 10, 2013, at 9:52 AM, John Moyer >>>>>> <[email protected]> wrote: >>>>>> >>>>>>> Rob, >>>>>>> >>>>>>> Sorry for the late response I tried the following >>>>>>> >>>>>>> [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy >>>>>>> Class 2 Certification Authority - ValiCert, Inc." -t CT,, >>>>>>> [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy >>>>>>> Secure Certification Authority - The Go Daddy Group, Inc." -t CT,, >>>>>>> [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA >>>>>>> certutil: certificate is valid >>>>>>> >>>>>>> After this I tried to add a machine and got the same error: >>>>>>> >>>>>>> [root@~]# ipa-client-install --domain=example.com >>>>>>> --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" >>>>>>> -U >>>>>>> Hostname: server.example.com >>>>>>> Realm: EXAMPLE.COM >>>>>>> DNS Domain: example.com >>>>>>> IPA Server: server.example.com >>>>>>> BaseDN: dc=example,dc=com >>>>>>> >>>>>>> Synchronizing time with KDC... >>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST >>>>>>> transaction. Peer certificate cannot be authenticated with known CA >>>>>>> certificates >>>>>>> >>>>>>> Installation failed. Rolling back changes. >>>>>>> IPA client is not configured on this system. >>>>>>> >>>>>>> Any additional suggestions? >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> _____________________________________________________ >>>>>>> John Moyer >>>>>>> Director, IT Operations >>>>>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <[email protected]> wrote: >>>>>>> >>>>>>>> John Moyer wrote: >>>>>>>>> Rob, >>>>>>>>> >>>>>>>>> MyIPA I believe was installed by IPA. I did everything you >>>>>>>>> suggested, the below is what it looks like now. >>>>>>>>> >>>>>>>>> >>>>>>>>> -------- >>>>>>>>> certutil -d /etc/httpd/alias -L -h internal >>>>>>>>> >>>>>>>>> Certificate Nickname Trust >>>>>>>>> Attributes >>>>>>>>> >>>>>>>>> SSL,S/MIME,JAR/XPI >>>>>>>>> >>>>>>>>> MyIPA u,u,u >>>>>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. >>>>>>>>> CT,, >>>>>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,, >>>>>>>>> >>>>>>>>> ---------- >>>>>>>>> >>>>>>>>> I'm still getting the following when I try to restart the dirsrv: >>>>>>>>> >>>>>>>>> /etc/init.d/dirsrv restart >>>>>>>>> Shutting down dirsrv: >>>>>>>>> EXAMPLE-COM... [ OK ] >>>>>>>>> PKI-IPA... [ OK ] >>>>>>>>> Starting dirsrv: >>>>>>>>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: >>>>>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA >>>>>>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime >>>>>>>>> error -8172 - Peer's certificate issuer has been marked as not >>>>>>>>> trusted by the user.) >>>>>>>>> [ OK ] >>>>>>>>> PKI-IPA... [ OK ] >>>>>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM >>>>>>>> as well. >>>>>>>> >>>>>>>>> I'm also getting the following when I try to add a server to IPA: >>>>>>>>> >>>>>>>>> ipa-client-install --domain=example.com --server=server.example.com >>>>>>>>> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U >>>>>>>>> Hostname: ip-10-133-38-119.ec2.internal >>>>>>>>> Realm: EXAMPLE.COM >>>>>>>>> DNS Domain: example.com >>>>>>>>> IPA Server: server.example.com >>>>>>>>> BaseDN: dc=example,dc=com >>>>>>>>> >>>>>>>>> Synchronizing time with KDC... >>>>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST >>>>>>>>> transaction. Peer certificate cannot be authenticated with known CA >>>>>>>>> certificates >>>>>>>>> >>>>>>>>> Installation failed. Rolling back changes. >>>>>>>>> IPA client is not configured on this system. >>>>>>>> The client installer downloads the CA cert from LDAP, so make sure you >>>>>>>> have the GoDaddy CA in LDAP. >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> [email protected] >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager for IdM portfolio >>>>> Red Hat Inc. >>>>> >>>>> >>>>> ------------------------------- >>>>> Looking to carve out IT costs? >>>>> www.redhat.com/carveoutcosts/ >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> [email protected] >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >> > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
