Re: [Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
Tim Hughes wrote: I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to ipa-server-2.2.0-16.el6.x86_64 with the following command ipa migrate-ds ldaps://fedora-ds-server.internal --continue --with-compat --base-dn=dc=custsvc,dc=mycompany --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany I get the following response. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa-server.internal,O=CO.MYCOMPANY ipa: DEBUG: handshake complete, peer = 192.168.10.6:443 http://192.168.10.6:443 ipa: DEBUG: Caught fault 4203 from server http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. I am trying to work out which certificate is not trusted and how I should make it trusted. Any help would be appreciated. I suspect you're going to need to add the CA that issued your LDAP server certificate to the IPA Apache NSS certificate database (where our admin framework runs). You'd add it something like this: # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a /path/to/ca.crt The -n 'LDAP CA' adds a nickname to the CA. There is nothing special about this, it just needs to be unique. Use something meaningful to you. Then restart the httpd service and try the migration again. I don't know if we've tested using ldaps, so if my suggestion works can you let us know? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
On 11/06/2012 08:07 AM, Rob Crittenden wrote: Tim Hughes wrote: I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to ipa-server-2.2.0-16.el6.x86_64 with the following command ipa migrate-ds ldaps://fedora-ds-server.internal --continue --with-compat --base-dn=dc=custsvc,dc=mycompany --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany I get the following response. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa-server.internal,O=CO.MYCOMPANY ipa: DEBUG: handshake complete, peer = 192.168.10.6:443 http://192.168.10.6:443 ipa: DEBUG: Caught fault 4203 from server http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. I am trying to work out which certificate is not trusted and how I should make it trusted. Any help would be appreciated. I suspect you're going to need to add the CA that issued your LDAP server certificate to the IPA Apache NSS certificate database (where our admin framework runs). You'd add it something like this: # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a /path/to/ca.crt The -n 'LDAP CA' adds a nickname to the CA. There is nothing special about this, it just needs to be unique. Use something meaningful to you. Then restart the httpd service and try the migration again. I don't know if we've tested using ldaps, so if my suggestion works can you let us know? IMO the migrate-ds command should have additional argument to point to the cert file to use for connection. Then the framework should get the cert and import it into the store itself. Rob, do you agree that this would be a valid RFE? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
Dmitri Pal wrote: On 11/06/2012 08:07 AM, Rob Crittenden wrote: Tim Hughes wrote: I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to ipa-server-2.2.0-16.el6.x86_64 with the following command ipa migrate-ds ldaps://fedora-ds-server.internal --continue --with-compat --base-dn=dc=custsvc,dc=mycompany --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany I get the following response. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa-server.internal,O=CO.MYCOMPANY ipa: DEBUG: handshake complete, peer = 192.168.10.6:443 http://192.168.10.6:443 ipa: DEBUG: Caught fault 4203 from server http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. I am trying to work out which certificate is not trusted and how I should make it trusted. Any help would be appreciated. I suspect you're going to need to add the CA that issued your LDAP server certificate to the IPA Apache NSS certificate database (where our admin framework runs). You'd add it something like this: # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a /path/to/ca.crt The -n 'LDAP CA' adds a nickname to the CA. There is nothing special about this, it just needs to be unique. Use something meaningful to you. Then restart the httpd service and try the migration again. I don't know if we've tested using ldaps, so if my suggestion works can you let us know? IMO the migrate-ds command should have additional argument to point to the cert file to use for connection. Then the framework should get the cert and import it into the store itself. Rob, do you agree that this would be a valid RFE? Yup, certainly something that would make things easier. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
On 11/06/2012 11:58 AM, Rob Crittenden wrote: Dmitri Pal wrote: On 11/06/2012 08:07 AM, Rob Crittenden wrote: Tim Hughes wrote: I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to ipa-server-2.2.0-16.el6.x86_64 with the following command ipa migrate-ds ldaps://fedora-ds-server.internal --continue --with-compat --base-dn=dc=custsvc,dc=mycompany --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany I get the following response. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa-server.internal,O=CO.MYCOMPANY ipa: DEBUG: handshake complete, peer = 192.168.10.6:443 http://192.168.10.6:443 ipa: DEBUG: Caught fault 4203 from server http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. I am trying to work out which certificate is not trusted and how I should make it trusted. Any help would be appreciated. I suspect you're going to need to add the CA that issued your LDAP server certificate to the IPA Apache NSS certificate database (where our admin framework runs). You'd add it something like this: # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a /path/to/ca.crt The -n 'LDAP CA' adds a nickname to the CA. There is nothing special about this, it just needs to be unique. Use something meaningful to you. Then restart the httpd service and try the migration again. I don't know if we've tested using ldaps, so if my suggestion works can you let us know? IMO the migrate-ds command should have additional argument to point to the cert file to use for connection. Then the framework should get the cert and import it into the store itself. Rob, do you agree that this would be a valid RFE? Yup, certainly something that would make things easier. rob https://fedorahosted.org/freeipa/ticket/3243 -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
On 11/05/2012 01:51 PM, Tim Hughes wrote: I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to ipa-server-2.2.0-16.el6.x86_64 with the following command ipa migrate-ds ldaps://fedora-ds-server.internal --continue --with-compat --base-dn=dc=custsvc,dc=mycompany --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany You are using ldaps but there is no cert info defined to connect to fedora-DS with SSL. Did you mean ldap://... ? I get the following response. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa-server.internal,O=CO.MYCOMPANY ipa: DEBUG: handshake complete, peer = 192.168.10.6:443 http://192.168.10.6:443 ipa: DEBUG: Caught fault 4203 from server http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. I am trying to work out which certificate is not trusted and how I should make it trusted. Any help would be appreciated. Tim Hughes mailto:thug...@thegoldfish.org mailto:thug...@thegoldfish.org ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
