Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

So this is what I did and how it went afterwards: 

[root@nssdb]# ln -s /usr/lib64/libnssckbi.so libnssckbi.so
[root@nssdb]# ls -la
total 132
drwxr-xr-x 2 root root  4096 Jun 11 13:50 .
drwxr-xr-x 8 root root  4096 Jun 11 13:50 ..
-rw-r--r-- 1 root root 65536 Jan 12  2010 cert8.db
-rw-r--r-- 1 root root  9216 Jan 12  2010 cert9.db
-rw-r--r-- 1 root root 16384 Jan 12  2010 key3.db
-rw-r--r-- 1 root root 11264 Jan 12  2010 key4.db
lrwxrwxrwx 1 root root24 Jun 11 13:50 libnssckbi.so -> 
/usr/lib64/libnssckbi.so
-rw-r--r-- 1 root root   451 Jan 10 02:13 pkcs11.txt
-rw-r--r-- 1 root root 16384 Jan 12  2010 secmod.db
[root@nssdb]# ipa-client-install --domain=example.com 
--server=server.example.com --realm=EXAMPLE.COM -p builduser -w "blah" -U
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root@ nssdb]#

Thanks, 
_
John Moyer
Director, IT Operations
On Jun 10, 2013, at 4:42 PM, Rob Crittenden  wrote:

> John Moyer wrote:
>> Rob,
>> 
>>  Do you mean doing this?  If not let me know.
>> 
>> [root@pki]# ls -la
>> total 32
>> drwxr-xr-x  8 root root 4096 Jun 10 20:23 .
>> drwxr-xr-x 90 root root 4096 Jun 10 18:05 ..
>> drwxr-xr-x  6 root root 4096 Mar  4 22:22 CA
>> drwxr-xr-x  2 root root 4096 Jul 11  2012 java
>> lrwxrwxrwx  1 root root   24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so
>> drwxr-xr-x  2 root root 4096 Jun 10 18:05 nssdb.orig
>> drwxr-xr-x  2 root root 4096 Mar 21 15:19 rpm-gpg
>> drwx--  2 root root 4096 Feb 22 05:07 rsyslog
>> drwxr-xr-x  5 root root 4096 Mar 21 15:18 tls
> 
> No, you need to link the shared library into the nssdb directory. nssdb 
> should contain 3 db files, cert8, key3 and secmod. This is the common NSS db 
> that the client uses.
> 
>> After I did that I tried to enroll this system and got the same error.
>> 
>> The cert that is in the /etc/ipa/ca.crt is the same as the one that is on 
>> the server which is the CA Cert gotten from godaddy.   You also had me 
>> change this into a der version of the Cert (using openssl) and jam that into 
>> the Directory server.
> 
> Right but which one, there are two.
> 
> rob
> 
>> 
>> 
>> Thanks,
>> _
>> John Moyer
>> Director, IT Operations
>> Digital Reasoning Systems, Inc.
>> john.mo...@digitalreasoning.com
>> Office:  703.678.2311
>> Mobile:  240.460.0023
>> Fax: 703.678.2312
>> www.digitalreasoning.com
>> 
>> On Jun 10, 2013, at 4:19 PM, Rob Crittenden  wrote:
>> 
>>> John Moyer wrote:
 Rob,
 
I think you had me look at that already.   This is the output from 
 certutil on that:
 
 [root@ ~]# certutil -d /etc/httpd/alias -L
 
 Certificate Nickname Trust 
 Attributes
  
 SSL,S/MIME,JAR/XPI
 
 MyIPAu,u,u
 Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
 Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,
>>> 
>>> What certificate does the client have in /etc/ipa/ca.crt? Is it either one 
>>> of these?
>>> 
>>> Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to 
>>> enrollment?
>>> 
>>> rob
>>> 
 
 
 
 Dmitri,
 
This is the same issue I've been having for a while, other things were 
 wrong before all of them stemmed from putting in the Godaddy signed cert.
 
 Thanks,
 _
 John Moyer
 Director, IT Operations
 
 On Jun 10, 2013, at 2:30 PM, Dmitri Pal  wrote:
 
> On 06/10/2013 02:17 PM, John Moyer wrote:
>> I don't know if this helps, but this is the log I'm getting from the IPA 
>> server's apache error log.
>> 
>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does 
>> not recognize and trust the CA that issued your certificate
> 
> Is this the same issue we are discussing on the devel list?
> The intermediate CA case?
> 
>> 
>> 
>> Thanks,
>> _
>> John Moyer
>> Director, IT Operations
>> On Jun 10, 2013, at 9:52 AM, John Moyer 
>>  wrote:
>> 
>>> Rob,
>>> 
>>> Sorry for the late response I tried the following
>>> 
>>> [root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy 
>>> Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>> [root@etc]# certutil -M -d  /etc/dirsrv/s

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Dennis]

On 06/10/2013 04:50 PM, John Dennis wrote:
> Either dump the text form of your CA cert and send it along or send us
> the cert in PEM format and we'll open it up.

Actually in hindsight send us the all the Godaddy certs in PEM format
only, the tools need to read PEM format. Text format would be
interesting for us humans, but the tools need PEM and we can always
generate the text format from PEM anyway.

John

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Dennis]

On 06/10/2013 04:32 PM, John Moyer wrote:
>   Do you mean doing this?  If not let me know. 

I'm afraid much of what has been done so far amounts to flailing about.
The information needed to resolve the problem is contained in your cert.
I'm pretty sure I asked for this information previously with detained
instructions on how to retrieve it.

We need to know the full contents of the cert, including it's extensions
and the issuer. Then we need to know the contents of your NSS database.
That should be enough to answer the question of why your CA cert is not
validating as expected.

Either dump the text form of your CA cert and send it along or send us
the cert in PEM format and we'll open it up. I suggest you do that in a
private email to either me or Rob as opposed to the list. I have tools
that will help diagnose why NSS might fail to validate a cert.

Also, many public CA will not issue, or will restrict signing CA certs
because that opens them up to liability (they can't know what your CA
will sign and if they sign your CA they are in effect vouching for any
cert you issue). This is another reason it's important to see the
contents of the cert, to determine what actions that cert is authorized
to perform for and who is authorizing those actions, make sense?

John


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Rob Crittenden]

John Moyer wrote:

Rob,

Do you mean doing this?  If not let me know.

[root@pki]# ls -la
total 32
drwxr-xr-x  8 root root 4096 Jun 10 20:23 .
drwxr-xr-x 90 root root 4096 Jun 10 18:05 ..
drwxr-xr-x  6 root root 4096 Mar  4 22:22 CA
drwxr-xr-x  2 root root 4096 Jul 11  2012 java
lrwxrwxrwx  1 root root   24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so
drwxr-xr-x  2 root root 4096 Jun 10 18:05 nssdb.orig
drwxr-xr-x  2 root root 4096 Mar 21 15:19 rpm-gpg
drwx--  2 root root 4096 Feb 22 05:07 rsyslog
drwxr-xr-x  5 root root 4096 Mar 21 15:18 tls


No, you need to link the shared library into the nssdb directory. nssdb 
should contain 3 db files, cert8, key3 and secmod. This is the common 
NSS db that the client uses.



After I did that I tried to enroll this system and got the same error.

The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the 
server which is the CA Cert gotten from godaddy.   You also had me change this 
into a der version of the Cert (using openssl) and jam that into the Directory 
server.


Right but which one, there are two.

rob




Thanks,
_
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
john.mo...@digitalreasoning.com
Office: 703.678.2311
Mobile: 240.460.0023
Fax:703.678.2312
www.digitalreasoning.com

On Jun 10, 2013, at 4:19 PM, Rob Crittenden  wrote:


John Moyer wrote:

Rob,

I think you had me look at that already.   This is the output from 
certutil on that:

[root@ ~]# certutil -d /etc/httpd/alias -L

Certificate Nickname Trust Attributes
  SSL,S/MIME,JAR/XPI

MyIPAu,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,


What certificate does the client have in /etc/ipa/ca.crt? Is it either one of 
these?

Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to 
enrollment?

rob





Dmitri,

This is the same issue I've been having for a while, other things were 
wrong before all of them stemmed from putting in the Godaddy signed cert.

Thanks,
_
John Moyer
Director, IT Operations

On Jun 10, 2013, at 2:30 PM, Dmitri Pal  wrote:


On 06/10/2013 02:17 PM, John Moyer wrote:

I don't know if this helps, but this is the log I'm getting from the IPA 
server's apache error log.

[Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not 
recognize and trust the CA that issued your certificate


Is this the same issue we are discussing on the devel list?
The intermediate CA case?




Thanks,
_
John Moyer
Director, IT Operations
On Jun 10, 2013, at 9:52 AM, John Moyer  wrote:


Rob,

Sorry for the late response I tried the following

[root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 
Certification Authority - ValiCert, Inc." -t CT,,
[root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure 
Certification Authority - The Go Daddy Group, Inc." -t CT,,
[root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
certutil: certificate is valid

After this I tried to add a machine and got the same error:

[root@~]# ipa-client-install --domain=example.com --server=server.example.com 
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Any additional suggestions?


Thanks,
_
John Moyer
Director, IT Operations
On May 29, 2013, at 2:09 PM, Rob Crittenden  wrote:


John Moyer wrote:

Rob,

MyIPA I believe was installed by IPA.  I did everything you suggested, 
the below is what it looks like now.



certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

MyIPAu,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,

--

I'm still getting the following when I try to restart the dirsrv:

/etc/init.d/dirsrv restart
Shutting down dirsrv:
   EXAMPLE-COM...[  OK  ]
   PKI-IPA... [  OK  ]
Starting dirsrv:

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

Rob, 

Do you mean doing this?  If not let me know. 

[root@pki]# ls -la
total 32
drwxr-xr-x  8 root root 4096 Jun 10 20:23 .
drwxr-xr-x 90 root root 4096 Jun 10 18:05 ..
drwxr-xr-x  6 root root 4096 Mar  4 22:22 CA
drwxr-xr-x  2 root root 4096 Jul 11  2012 java
lrwxrwxrwx  1 root root   24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so
drwxr-xr-x  2 root root 4096 Jun 10 18:05 nssdb.orig
drwxr-xr-x  2 root root 4096 Mar 21 15:19 rpm-gpg
drwx--  2 root root 4096 Feb 22 05:07 rsyslog
drwxr-xr-x  5 root root 4096 Mar 21 15:18 tls

After I did that I tried to enroll this system and got the same error.

The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the 
server which is the CA Cert gotten from godaddy.   You also had me change this 
into a der version of the Cert (using openssl) and jam that into the Directory 
server.


Thanks, 
_
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
john.mo...@digitalreasoning.com
Office: 703.678.2311
Mobile: 240.460.0023
Fax:703.678.2312
www.digitalreasoning.com

On Jun 10, 2013, at 4:19 PM, Rob Crittenden  wrote:

> John Moyer wrote:
>> Rob,
>> 
>>  I think you had me look at that already.   This is the output from 
>> certutil on that:
>> 
>> [root@ ~]# certutil -d /etc/httpd/alias -L
>> 
>> Certificate Nickname Trust Attributes
>>  
>> SSL,S/MIME,JAR/XPI
>> 
>> MyIPAu,u,u
>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,
> 
> What certificate does the client have in /etc/ipa/ca.crt? Is it either one of 
> these?
> 
> Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to 
> enrollment?
> 
> rob
> 
>> 
>> 
>> 
>> Dmitri,
>> 
>>  This is the same issue I've been having for a while, other things were 
>> wrong before all of them stemmed from putting in the Godaddy signed cert.
>> 
>> Thanks,
>> _
>> John Moyer
>> Director, IT Operations
>> 
>> On Jun 10, 2013, at 2:30 PM, Dmitri Pal  wrote:
>> 
>>> On 06/10/2013 02:17 PM, John Moyer wrote:
 I don't know if this helps, but this is the log I'm getting from the IPA 
 server's apache error log.
 
 [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not 
 recognize and trust the CA that issued your certificate
>>> 
>>> Is this the same issue we are discussing on the devel list?
>>> The intermediate CA case?
>>> 
 
 
 Thanks,
 _
 John Moyer
 Director, IT Operations
 On Jun 10, 2013, at 9:52 AM, John Moyer  
 wrote:
 
> Rob,
> 
>   Sorry for the late response I tried the following
> 
> [root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy 
> Class 2 Certification Authority - ValiCert, Inc." -t CT,,
> [root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy 
> Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
> [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
> certutil: certificate is valid
> 
> After this I tried to add a machine and got the same error:
> 
> [root@~]# ipa-client-install --domain=example.com 
> --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
> Hostname: server.example.com
> Realm: EXAMPLE.COM
> DNS Domain: example.com
> IPA Server: server.example.com
> BaseDN: dc=example,dc=com
> 
> Synchronizing time with KDC...
> Joining realm failed: libcurl failed to execute the HTTP POST 
> transaction.  Peer certificate cannot be authenticated with known CA 
> certificates
> 
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> 
> Any additional suggestions?
> 
> 
> Thanks,
> _
> John Moyer
> Director, IT Operations
> On May 29, 2013, at 2:09 PM, Rob Crittenden  wrote:
> 
>> John Moyer wrote:
>>> Rob,
>>> 
>>> MyIPA I believe was installed by IPA.  I did everything you 
>>> suggested, the below is what it looks like now.
>>> 
>>> 
>>> 
>>> certutil -d /etc/httpd/alias -L -h internal
>>> 
>>> Certificate Nickname Trust 
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>> 
>>> MyIPAu,u,u
>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>> Go Daddy Class 2 Certificati

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Rob Crittenden]

John Moyer wrote:

Rob,

I think you had me look at that already.   This is the output from 
certutil on that:

[root@ ~]# certutil -d /etc/httpd/alias -L

Certificate Nickname Trust Attributes
  SSL,S/MIME,JAR/XPI

MyIPAu,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,


What certificate does the client have in /etc/ipa/ca.crt? Is it either 
one of these?


Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior 
to enrollment?


rob





Dmitri,

This is the same issue I've been having for a while, other things were 
wrong before all of them stemmed from putting in the Godaddy signed cert.

Thanks,
_
John Moyer
Director, IT Operations

On Jun 10, 2013, at 2:30 PM, Dmitri Pal  wrote:


On 06/10/2013 02:17 PM, John Moyer wrote:

I don't know if this helps, but this is the log I'm getting from the IPA 
server's apache error log.

[Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not 
recognize and trust the CA that issued your certificate


Is this the same issue we are discussing on the devel list?
The intermediate CA case?




Thanks,
_
John Moyer
Director, IT Operations
On Jun 10, 2013, at 9:52 AM, John Moyer  wrote:


Rob,

Sorry for the late response I tried the following

[root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 
Certification Authority - ValiCert, Inc." -t CT,,
[root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure 
Certification Authority - The Go Daddy Group, Inc." -t CT,,
[root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
certutil: certificate is valid

After this I tried to add a machine and got the same error:

[root@~]# ipa-client-install --domain=example.com --server=server.example.com 
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Any additional suggestions?


Thanks,
_
John Moyer
Director, IT Operations
On May 29, 2013, at 2:09 PM, Rob Crittenden  wrote:


John Moyer wrote:

Rob,

MyIPA I believe was installed by IPA.  I did everything you suggested, 
the below is what it looks like now.



certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

MyIPAu,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,

--

I'm still getting the following when I try to restart the dirsrv:

/etc/init.d/dirsrv restart
Shutting down dirsrv:
   EXAMPLE-COM...[  OK  ]
   PKI-IPA... [  OK  ]
Starting dirsrv:
   EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's 
certificate issuer has been marked as not trusted by the user.)
  [  OK  ]
   PKI-IPA... [  OK  ]

You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.


I'm also getting the following when I  try to add a server to IPA:

ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM 
-p builduser -w "BLAH" -U
Hostname: ip-10-133-38-119.ec2.internal
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

The client installer downloads the CA cert from LDAP, so make sure you have the 
GoDaddy CA in LDAP.

rob



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM port

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

Rob, 

I think you had me look at that already.   This is the output from 
certutil on that: 

[root@ ~]# certutil -d /etc/httpd/alias -L

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

MyIPAu,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,



Dmitri, 

This is the same issue I've been having for a while, other things were 
wrong before all of them stemmed from putting in the Godaddy signed cert. 

Thanks, 
_
John Moyer
Director, IT Operations

On Jun 10, 2013, at 2:30 PM, Dmitri Pal  wrote:

> On 06/10/2013 02:17 PM, John Moyer wrote:
>> I don't know if this helps, but this is the log I'm getting from the IPA 
>> server's apache error log.
>> 
>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not 
>> recognize and trust the CA that issued your certificate
> 
> Is this the same issue we are discussing on the devel list?
> The intermediate CA case?
> 
>> 
>> 
>> Thanks, 
>> _
>> John Moyer
>> Director, IT Operations
>> On Jun 10, 2013, at 9:52 AM, John Moyer  
>> wrote:
>> 
>>> Rob, 
>>> 
>>> Sorry for the late response I tried the following
>>> 
>>> [root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy 
>>> Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>>> [root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy 
>>> Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>>> [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>>> certutil: certificate is valid
>>> 
>>> After this I tried to add a machine and got the same error: 
>>> 
>>> [root@~]# ipa-client-install --domain=example.com 
>>> --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>> Hostname: server.example.com
>>> Realm: EXAMPLE.COM
>>> DNS Domain: example.com
>>> IPA Server: server.example.com
>>> BaseDN: dc=example,dc=com
>>> 
>>> Synchronizing time with KDC...
>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
>>> Peer certificate cannot be authenticated with known CA certificates
>>> 
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>> 
>>> Any additional suggestions?
>>> 
>>> 
>>> Thanks, 
>>> _
>>> John Moyer
>>> Director, IT Operations
>>> On May 29, 2013, at 2:09 PM, Rob Crittenden  wrote:
>>> 
 John Moyer wrote:
> Rob,
> 
>   MyIPA I believe was installed by IPA.  I did everything you suggested, 
> the below is what it looks like now.
> 
> 
> 
> certutil -d /etc/httpd/alias -L -h internal
> 
> Certificate Nickname Trust 
> Attributes
>
> SSL,S/MIME,JAR/XPI
> 
> MyIPAu,u,u
> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
> Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,
> 
> --
> 
> I'm still getting the following when I try to restart the dirsrv:
> 
> /etc/init.d/dirsrv restart
> Shutting down dirsrv:
>   EXAMPLE-COM...[  OK  ]
>   PKI-IPA... [  OK  ]
> Starting dirsrv:
>   EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert: 
> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of 
> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error 
> -8172 - Peer's certificate issuer has been marked as not trusted by the 
> user.)
>  [  OK  ]
>   PKI-IPA... [  OK  ]
 You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as 
 well.
 
> I'm also getting the following when I  try to add a server to IPA:
> 
> ipa-client-install --domain=example.com --server=server.example.com 
> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
> Hostname: ip-10-133-38-119.ec2.internal
> Realm: EXAMPLE.COM
> DNS Domain: example.com
> IPA Server: server.example.com
> BaseDN: dc=example,dc=com
> 
> Synchronizing time with KDC...
> Joining realm failed: libcurl failed to execute the HTTP POST 
> transaction.  Peer certificate cannot be authenticated with known CA 
> certificates
> 
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
 The client inst

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Dmitri Pal]

On 06/10/2013 02:17 PM, John Moyer wrote:
> I don't know if this helps, but this is the log I'm getting from the IPA 
> server's apache error log.
>
> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not 
> recognize and trust the CA that issued your certificate

Is this the same issue we are discussing on the devel list?
The intermediate CA case?

>
>
> Thanks, 
> _
> John Moyer
> Director, IT Operations
> On Jun 10, 2013, at 9:52 AM, John Moyer  
> wrote:
>
>> Rob, 
>>
>>  Sorry for the late response I tried the following
>>
>> [root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy 
>> Class 2 Certification Authority - ValiCert, Inc." -t CT,,
>> [root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy 
>> Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
>> [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
>> certutil: certificate is valid
>>
>> After this I tried to add a machine and got the same error: 
>>
>> [root@~]# ipa-client-install --domain=example.com 
>> --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>> Hostname: server.example.com
>> Realm: EXAMPLE.COM
>> DNS Domain: example.com
>> IPA Server: server.example.com
>> BaseDN: dc=example,dc=com
>>
>> Synchronizing time with KDC...
>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
>> Peer certificate cannot be authenticated with known CA certificates
>>
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>> Any additional suggestions?
>>
>>
>> Thanks, 
>> _
>> John Moyer
>> Director, IT Operations
>> On May 29, 2013, at 2:09 PM, Rob Crittenden  wrote:
>>
>>> John Moyer wrote:
 Rob,

MyIPA I believe was installed by IPA.  I did everything you suggested, 
 the below is what it looks like now.


 
 certutil -d /etc/httpd/alias -L -h internal

 Certificate Nickname Trust 
 Attributes
 
 SSL,S/MIME,JAR/XPI

 MyIPAu,u,u
 Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
 Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,

 --

 I'm still getting the following when I try to restart the dirsrv:

 /etc/init.d/dirsrv restart
 Shutting down dirsrv:
EXAMPLE-COM...[  OK  ]
PKI-IPA... [  OK  ]
 Starting dirsrv:
EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert: 
 CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of 
 family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error 
 -8172 - Peer's certificate issuer has been marked as not trusted by the 
 user.)
   [  OK  ]
PKI-IPA... [  OK  ]
>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as 
>>> well.
>>>
 I'm also getting the following when I  try to add a server to IPA:

 ipa-client-install --domain=example.com --server=server.example.com 
 --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
 Hostname: ip-10-133-38-119.ec2.internal
 Realm: EXAMPLE.COM
 DNS Domain: example.com
 IPA Server: server.example.com
 BaseDN: dc=example,dc=com

 Synchronizing time with KDC...
 Joining realm failed: libcurl failed to execute the HTTP POST transaction. 
  Peer certificate cannot be authenticated with known CA certificates

 Installation failed. Rolling back changes.
 IPA client is not configured on this system.
>>> The client installer downloads the CA cert from LDAP, so make sure you have 
>>> the GoDaddy CA in LDAP.
>>>
>>> rob
>>>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Rob Crittenden]

John Moyer wrote:

I don't know if this helps, but this is the log I'm getting from the IPA 
server's apache error log.

[Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not 
recognize and trust the CA that issued your certificate


Apache has its own certificate database in /etc/httpd/alias. Perhaps try 
the same commands against it.


rob




Thanks,
_
John Moyer
Director, IT Operations
On Jun 10, 2013, at 9:52 AM, John Moyer  wrote:


Rob,

Sorry for the late response I tried the following

[root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 
Certification Authority - ValiCert, Inc." -t CT,,
[root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure 
Certification Authority - The Go Daddy Group, Inc." -t CT,,
[root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
certutil: certificate is valid

After this I tried to add a machine and got the same error:

[root@~]# ipa-client-install --domain=example.com --server=server.example.com 
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Any additional suggestions?


Thanks,
_
John Moyer
Director, IT Operations
On May 29, 2013, at 2:09 PM, Rob Crittenden  wrote:


John Moyer wrote:

Rob,

MyIPA I believe was installed by IPA.  I did everything you suggested, 
the below is what it looks like now.



certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

MyIPAu,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,

--

I'm still getting the following when I try to restart the dirsrv:

/etc/init.d/dirsrv restart
Shutting down dirsrv:
EXAMPLE-COM...[  OK  ]
PKI-IPA... [  OK  ]
Starting dirsrv:
EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's 
certificate issuer has been marked as not trusted by the user.)
   [  OK  ]
PKI-IPA... [  OK  ]


You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.



I'm also getting the following when I  try to add a server to IPA:

ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM 
-p builduser -w "BLAH" -U
Hostname: ip-10-133-38-119.ec2.internal
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.


The client installer downloads the CA cert from LDAP, so make sure you have the 
GoDaddy CA in LDAP.

rob







___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

I don't know if this helps, but this is the log I'm getting from the IPA 
server's apache error log.

[Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not 
recognize and trust the CA that issued your certificate


Thanks, 
_
John Moyer
Director, IT Operations
On Jun 10, 2013, at 9:52 AM, John Moyer  wrote:

> Rob, 
> 
>   Sorry for the late response I tried the following
> 
> [root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 
> 2 Certification Authority - ValiCert, Inc." -t CT,,
> [root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy 
> Secure Certification Authority - The Go Daddy Group, Inc." -t CT,,
> [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
> certutil: certificate is valid
> 
> After this I tried to add a machine and got the same error: 
> 
> [root@~]# ipa-client-install --domain=example.com --server=server.example.com 
> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
> Hostname: server.example.com
> Realm: EXAMPLE.COM
> DNS Domain: example.com
> IPA Server: server.example.com
> BaseDN: dc=example,dc=com
> 
> Synchronizing time with KDC...
> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
> Peer certificate cannot be authenticated with known CA certificates
> 
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> 
> Any additional suggestions?
> 
> 
> Thanks, 
> _
> John Moyer
> Director, IT Operations
> On May 29, 2013, at 2:09 PM, Rob Crittenden  wrote:
> 
>> John Moyer wrote:
>>> Rob,
>>> 
>>> MyIPA I believe was installed by IPA.  I did everything you suggested, 
>>> the below is what it looks like now.
>>> 
>>> 
>>> 
>>> certutil -d /etc/httpd/alias -L -h internal
>>> 
>>> Certificate Nickname Trust 
>>> Attributes
>>> 
>>> SSL,S/MIME,JAR/XPI
>>> 
>>> MyIPAu,u,u
>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,
>>> 
>>> --
>>> 
>>> I'm still getting the following when I try to restart the dirsrv:
>>> 
>>> /etc/init.d/dirsrv restart
>>> Shutting down dirsrv:
>>>EXAMPLE-COM...[  OK  ]
>>>PKI-IPA... [  OK  ]
>>> Starting dirsrv:
>>>EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert: 
>>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of 
>>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error 
>>> -8172 - Peer's certificate issuer has been marked as not trusted by the 
>>> user.)
>>>   [  OK  ]
>>>PKI-IPA... [  OK  ]
>> 
>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as 
>> well.
>> 
>>> 
>>> I'm also getting the following when I  try to add a server to IPA:
>>> 
>>> ipa-client-install --domain=example.com --server=server.example.com 
>>> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>>> Hostname: ip-10-133-38-119.ec2.internal
>>> Realm: EXAMPLE.COM
>>> DNS Domain: example.com
>>> IPA Server: server.example.com
>>> BaseDN: dc=example,dc=com
>>> 
>>> Synchronizing time with KDC...
>>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
>>> Peer certificate cannot be authenticated with known CA certificates
>>> 
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>> 
>> The client installer downloads the CA cert from LDAP, so make sure you have 
>> the GoDaddy CA in LDAP.
>> 
>> rob
>> 
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

Rob, 

Sorry for the late response I tried the following

[root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 
Certification Authority - ValiCert, Inc." -t CT,,
[root@etc]# certutil -M -d  /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure 
Certification Authority - The Go Daddy Group, Inc." -t CT,,
[root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
certutil: certificate is valid
 
After this I tried to add a machine and got the same error: 

[root@~]# ipa-client-install --domain=example.com --server=server.example.com 
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Any additional suggestions?


Thanks, 
_
John Moyer
Director, IT Operations
On May 29, 2013, at 2:09 PM, Rob Crittenden  wrote:

> John Moyer wrote:
>> Rob,
>> 
>>  MyIPA I believe was installed by IPA.  I did everything you suggested, 
>> the below is what it looks like now.
>> 
>> 
>> 
>> certutil -d /etc/httpd/alias -L -h internal
>> 
>> Certificate Nickname Trust Attributes
>>  
>> SSL,S/MIME,JAR/XPI
>> 
>> MyIPAu,u,u
>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,
>> 
>> --
>> 
>> I'm still getting the following when I try to restart the dirsrv:
>> 
>> /etc/init.d/dirsrv restart
>> Shutting down dirsrv:
>> EXAMPLE-COM...[  OK  ]
>> PKI-IPA... [  OK  ]
>> Starting dirsrv:
>> EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert: 
>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of 
>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 
>> - Peer's certificate issuer has been marked as not trusted by the user.)
>>[  OK  ]
>> PKI-IPA... [  OK  ]
> 
> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
> 
>> 
>> I'm also getting the following when I  try to add a server to IPA:
>> 
>> ipa-client-install --domain=example.com --server=server.example.com 
>> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>> Hostname: ip-10-133-38-119.ec2.internal
>> Realm: EXAMPLE.COM
>> DNS Domain: example.com
>> IPA Server: server.example.com
>> BaseDN: dc=example,dc=com
>> 
>> Synchronizing time with KDC...
>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
>> Peer certificate cannot be authenticated with known CA certificates
>> 
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
> 
> The client installer downloads the CA cert from LDAP, so make sure you have 
> the GoDaddy CA in LDAP.
> 
> rob
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Rob Crittenden]

John Moyer wrote:

Rob,

MyIPA I believe was installed by IPA.  I did everything you suggested, 
the below is what it looks like now.



certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname Trust Attributes
  SSL,S/MIME,JAR/XPI

MyIPAu,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,

--

I'm still getting the following when I try to restart the dirsrv:

/etc/init.d/dirsrv restart
Shutting down dirsrv:
 EXAMPLE-COM...[  OK  ]
 PKI-IPA... [  OK  ]
Starting dirsrv:
 EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's 
certificate issuer has been marked as not trusted by the user.)
[  OK  ]
 PKI-IPA... [  OK  ]


You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as 
well.




I'm also getting the following when I  try to add a server to IPA:

ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM 
-p builduser -w "BLAH" -U
Hostname: ip-10-133-38-119.ec2.internal
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.


The client installer downloads the CA cert from LDAP, so make sure you 
have the GoDaddy CA in LDAP.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

Rob, 

MyIPA I believe was installed by IPA.  I did everything you suggested, 
the below is what it looks like now.   



certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

MyIPAu,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,,

--

I'm still getting the following when I try to restart the dirsrv:  

/etc/init.d/dirsrv restart
Shutting down dirsrv:
EXAMPLE-COM...[  OK  ]
PKI-IPA... [  OK  ]
Starting dirsrv:
EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's 
certificate issuer has been marked as not trusted by the user.)
   [  OK  ]
PKI-IPA... [  OK  ]


I'm also getting the following when I  try to add a server to IPA: 

ipa-client-install --domain=example.com --server=server.example.com 
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: ip-10-133-38-119.ec2.internal
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.


Thanks, 
_
John Moyer
Director, IT Operations





On May 29, 2013, at 12:20 PM, Rob Crittenden  wrote:

> John Moyer wrote:
>> John,
>> 
>>  I see the following when I ran that first command.
>> 
>> sudo certutil -d /etc/httpd/alias -L -h internal
>> 
>> Certificate Nickname Trust Attributes
>>  
>> SSL,S/MIME,JAR/XPI
>> 
>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.,,
>> MyIPACTu,Cu,u
>> 
>> 
>> So being that I have no fear (or am just real dumb, I really feel it's just 
>> both) I used that command and got this error after hitting enter to continue:
>> 
>> sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias
>> 
>> WARNING: Performing this operation while the browser is running could cause
>> corruption of your security databases. If the browser is currently running,
>> you should exit browser before continuing this operation. Type
>> 'q ' to abort, or  to continue:
>> 
>> ERROR: Failed to add module "ca_certs". Probable cause : "Unknown PKCS #11 
>> error.".
>> 
>> I then did the first command again (to see what I messed up) and it looks 
>> identical as shown below:
>> 
>> sudo certutil -d /etc/httpd/alias -L -h internal
>> 
>> Certificate Nickname Trust Attributes
>>  
>> SSL,S/MIME,JAR/XPI
>> 
>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
>> Go Daddy Class 2 Certification Authority - ValiCert, Inc.,,
>> MyIPACTu,Cu,u
> 
> These trust flags look really strange.
> 
> What is MyIPA, is that your server certificate? It should have a trust of 
> u,u,u if it is: certutil -M -d /etc/httpd/alias -n MyIPA -t u,u,u
> 
> The other two are clearly CAs and should be trusted as so. For each one I'd 
> do:
> 
> certutil -M -d /etc/httpd/alias -n 'nickname' -t CT,,
> 
> You can test the trust with:
> 
> certutil -V -u V -d /etc/httpd/alias -n MyIPA
> 
> I'm guessing that you'll need to do something similar in 
> /etc/dirsrv/slapd-YOUR-INSTANCE.
> 
> rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Rob Crittenden]

John Moyer wrote:

John,

I see the following when I ran that first command.

sudo certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname Trust Attributes
  SSL,S/MIME,JAR/XPI

Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.,,
MyIPACTu,Cu,u


So being that I have no fear (or am just real dumb, I really feel it's just 
both) I used that command and got this error after hitting enter to continue:

sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q ' to abort, or  to continue:

ERROR: Failed to add module "ca_certs". Probable cause : "Unknown PKCS #11 
error.".

I then did the first command again (to see what I messed up) and it looks 
identical as shown below:

sudo certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname Trust Attributes
  SSL,S/MIME,JAR/XPI

Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.,,
MyIPACTu,Cu,u


These trust flags look really strange.

What is MyIPA, is that your server certificate? It should have a trust 
of u,u,u if it is: certutil -M -d /etc/httpd/alias -n MyIPA -t u,u,u


The other two are clearly CAs and should be trusted as so. For each one 
I'd do:


certutil -M -d /etc/httpd/alias -n 'nickname' -t CT,,

You can test the trust with:

certutil -V -u V -d /etc/httpd/alias -n MyIPA

I'm guessing that you'll need to do something similar in 
/etc/dirsrv/slapd-YOUR-INSTANCE.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Dennis]

On 05/29/2013 09:55 AM, John Moyer wrote:

John,

I see the following when I ran that first command.

sudo certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname Trust Attributes
  SSL,S/MIME,JAR/XPI

Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.,,
MyIPACTu,Cu,u


So being that I have no fear (or am just real dumb, I really feel it's just 
both) I used that command and got this error after hitting enter to continue:

sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q ' to abort, or  to continue:

ERROR: Failed to add module "ca_certs". Probable cause : "Unknown PKCS #11 
error.".

I then did the first command again (to see what I messed up) and it looks 
identical as shown below:

sudo certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname Trust Attributes
  SSL,S/MIME,JAR/XPI

Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.,,
MyIPACTu,Cu,u


My suggestion would be to do the following.

1) Determine the issuer of your new cert (i.e. who signed it). Do this 
by dumping the text representation of the cert. If one of the certs 
above is the cert in question you can use certutil


% certutil -d /etc/httpd/alias -L -n "xxx"

where xxx is the cert nickname

or via openssl if you have the cert file available (assuming in pem format)

% opnessl x509 -inform PEM -text -in xxx

where xxx is the cert file

look for the issuer field and make note of it.

2) Is the issuer one of the certs in the above listing? If so use 
certutil to add trust flags to it (see certutil web page pointed out 
earlier for examples of adding trust).


If the issuer is not already in the list then acquire the issuer cert 
from godaddy  and add it to the database with trust flags turned on.



--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

Petr, 

Oh thanks for that webpage!  So now named starts, it was because my 
hostname was ip-10.x.x.x I then tried to change it to ip-10.x.x.x.ec2.internal 
(standard fqdn for AWS).   Then I remembered that during setup I had to change 
it to ipa.example.com.   Once I did that it started!  Now I just have the cert 
issue, I'll email back after I gather more of the details around the remaining 
issues I'm having.   Thanks for your help! 

Thanks, 
_
John Moyer
Director, IT Operations


On May 29, 2013, at 10:24 AM, Petr Spacek  wrote:

> On 29.5.2013 15:50, John Moyer wrote:
>>  I changed both the host file (actually did that before emailing) and 
>> now I have changed the DNS manually in LDAP.  I restart ipa and it still 
>> fails on DNS startup.   It says the following (after I manually start 
>> everything else)
>> 
>> May 29 13:16:15 ip- named[9076]: set up managed keys zone for view _default, 
>> file 'dynamic/managed-keys.bind'
>> May 29 13:16:15 ip- named[9076]: GSSAPI Error: Unspecified GSS failure.  
>> Minor code may provide more information (Server 
>> krbtgt/ec2.inter...@example.com not found in Kerberos database)
>> May 29 13:16:15 ip- named[9076]: bind to LDAP server failed: Local error
>> May 29 13:16:15 ip- named[9076]: loading configuration: failure
>> May 29 13:16:15 ip- named[9076]: exiting (due to fatal error)
> 
> The important piece is:
> > Server krbtgt/ec2.inter...@example.com not found in Kerberos database
> 
> Some very basic instructions are at
> See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
> 
> IMHO Kerberos libraries are confused by the crazy network setup inside EC2.
> 
> Does your /etc/krb5.conf point to internal or external name?
> 
> Does your /etc/hosts point to internal or external name?
> 
> I would try to include *internal* IPs in /etc/hosts, because internal IPs are 
> what libraries see on local interfaces.
> 
> Please do the experiments described above and let us now. Also, you can join 
> #freeipa channel on FreeNode, I will be around for next hour (at least).
> 
> Petr^2 Spacek
> 
>> On May 29, 2013, at 4:11 AM, Petr Spacek  wrote:
>> 
>>> On 29.5.2013 07:42, John Moyer wrote:
 Yea I replaced both certs, however, in my troubleshooting I've found more 
 I'll say symptoms or potential problems, which may stem from this or be 
 independent from it.
 
 1. Showing this error message on restarting the service:
 EXAMPLE-COM...[29/May/2013:05:30:58 +] - SSL alert: 
 CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of 
 family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error 
 -8172 - Peer's certificate issuer has been marked as not trusted by the 
 user.)
 
 2. This is on an AWS machine, and when I rebooted the internal IP of the 
 machine changed.  I'm not sure if there are values in the Directory Server 
 that would have that internal IP in there which would cause a problem.  
 The external IP and DNS have stayed the same and I've tried to have all 
 install values match the external IP or external name for this exact 
 reason.
 
 3. The named service will no longer start, here are the errors getting put 
 in the /var/log/messages
 May 29 05:31:01 ip-10-1-3-5 named[5592]: sizing zone task pool based on 6 
 zones
 May 29 05:31:01 ip-10-1-3-5 named[5592]: /etc/named.conf:12: no forwarders 
 seen; disabling forwarding
 May 29 05:31:01 ip-10-1-3-5 named[5592]: set up managed keys zone for view 
 _default, file 'dynamic/managed-keys.bind'
  May 29 05:31:19 ip-10-1-3-5 named[5592]: Failed to init credentials 
 (Cannot contact any KDC for realm 'EXAMPLE.COM')
  May 29 05:31:19 ip-10-1-3-5 named[5592]: loading configuration: failure 
 May 29 05:31:19 ip-10-1-3-5 named[5592]: exiting (due to fatal error)
 
 Any help in a right direction or theory to a right direction would be much 
 appreciated!
>>> Problems 2 and 3 might be caused by incorrect IP address in /etc/hosts and 
>>> IPA DNS. Please correct content of /etc/hosts, start IPA and then correct 
>>> IP addresses in IPA DNS.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Petr Spacek]

On 29.5.2013 15:50, John Moyer wrote:

I changed both the host file (actually did that before emailing) and 
now I have changed the DNS manually in LDAP.  I restart ipa and it still fails 
on DNS startup.   It says the following (after I manually start everything else)

May 29 13:16:15 ip- named[9076]: set up managed keys zone for view _default, 
file 'dynamic/managed-keys.bind'
May 29 13:16:15 ip- named[9076]: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information (Server krbtgt/ec2.inter...@example.com not 
found in Kerberos database)
May 29 13:16:15 ip- named[9076]: bind to LDAP server failed: Local error
May 29 13:16:15 ip- named[9076]: loading configuration: failure
May 29 13:16:15 ip- named[9076]: exiting (due to fatal error)


The important piece is:
> Server krbtgt/ec2.inter...@example.com not found in Kerberos database

Some very basic instructions are at
See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart

IMHO Kerberos libraries are confused by the crazy network setup inside EC2.

Does your /etc/krb5.conf point to internal or external name?

Does your /etc/hosts point to internal or external name?

I would try to include *internal* IPs in /etc/hosts, because internal IPs are 
what libraries see on local interfaces.


Please do the experiments described above and let us now. Also, you can join 
#freeipa channel on FreeNode, I will be around for next hour (at least).


Petr^2 Spacek


On May 29, 2013, at 4:11 AM, Petr Spacek  wrote:


On 29.5.2013 07:42, John Moyer wrote:

Yea I replaced both certs, however, in my troubleshooting I've found more I'll 
say symptoms or potential problems, which may stem from this or be independent 
from it.

1. Showing this error message on restarting the service:
 EXAMPLE-COM...[29/May/2013:05:30:58 +] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's 
certificate issuer has been marked as not trusted by the user.)

2. This is on an AWS machine, and when I rebooted the internal IP of the 
machine changed.  I'm not sure if there are values in the Directory Server that 
would have that internal IP in there which would cause a problem.  The external 
IP and DNS have stayed the same and I've tried to have all install values match 
the external IP or external name for this exact reason.

3. The named service will no longer start, here are the errors getting put in 
the /var/log/messages
May 29 05:31:01 ip-10-1-3-5 named[5592]: sizing zone task pool based on 6 zones
May 29 05:31:01 ip-10-1-3-5 named[5592]: /etc/named.conf:12: no forwarders 
seen; disabling forwarding
May 29 05:31:01 ip-10-1-3-5 named[5592]: set up managed keys zone for view 
_default, file 'dynamic/managed-keys.bind'
  May 29 05:31:19 ip-10-1-3-5 named[5592]: Failed to init credentials (Cannot 
contact any KDC for realm 'EXAMPLE.COM')
  May 29 05:31:19 ip-10-1-3-5 named[5592]: loading configuration: failure May 
29 05:31:19 ip-10-1-3-5 named[5592]: exiting (due to fatal error)

Any help in a right direction or theory to a right direction would be much 
appreciated!

Problems 2 and 3 might be caused by incorrect IP address in /etc/hosts and IPA 
DNS. Please correct content of /etc/hosts, start IPA and then correct IP 
addresses in IPA DNS.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

John, 

I see the following when I ran that first command.

sudo certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.,,
MyIPACTu,Cu,u


So being that I have no fear (or am just real dumb, I really feel it's just 
both) I used that command and got this error after hitting enter to continue: 

sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q ' to abort, or  to continue:

ERROR: Failed to add module "ca_certs". Probable cause : "Unknown PKCS #11 
error.".

I then did the first command again (to see what I messed up) and it looks 
identical as shown below: 

sudo certutil -d /etc/httpd/alias -L -h internal

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc.,,
MyIPACTu,Cu,u


Thanks, 
_
John Moyer
Director, IT Operations
On May 29, 2013, at 8:36 AM, John Dennis  wrote:

> On 05/29/2013 01:42 AM, John Moyer wrote:
>> Yea I replaced both certs, however, in my troubleshooting I've found
>> more I'll say symptoms or potential problems, which may stem from
>> this or be independent from it.
>> 
>> 1. Showing this error message on restarting the service:
>> EXAMPLE-COM...[29/May/2013:05:30:58 +] - SSL alert:
>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA
>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime
>> error -8172 - Peer's certificate issuer has been marked as not
>> trusted by the user.)
> 
> The error is saying the CA which signed your new cert is either unknown or 
> untrusted. Trusted CA's must be in the NSS database which is being 
> referenced, which in this case I believe is /etc/httpd/alias.
> 
> By default we don't add other root CA's to this database so you'll have to 
> add it. To see what is in the database do this:
> 
> sudo certutil -d /etc/httpd/alias -L -h internal
> 
> FWIW the "-h internal" means to also examine any preloaded CA's that may have 
> been added with modutil.
> 
> If CA the signed your cert is one of the standard trusted ones you can add 
> the entire set of trusted CA's with modutil
> 
> % sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias
> 
> But that's a big hammer, you might be better off just manually just adding 
> the CA that signed your cert and adding trust for it. Examples can be found 
> here:
> 
> http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
> 
> 
> -- 
> John Dennis 
> 
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

Petr, 

I changed both the host file (actually did that before emailing) and 
now I have changed the DNS manually in LDAP.  I restart ipa and it still fails 
on DNS startup.   It says the following (after I manually start everything 
else) 

May 29 13:16:15 ip- named[9076]: set up managed keys zone for view _default, 
file 'dynamic/managed-keys.bind'
May 29 13:16:15 ip- named[9076]: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information (Server krbtgt/ec2.inter...@example.com not 
found in Kerberos database)
May 29 13:16:15 ip- named[9076]: bind to LDAP server failed: Local error
May 29 13:16:15 ip- named[9076]: loading configuration: failure
May 29 13:16:15 ip- named[9076]: exiting (due to fatal error)  


Thanks, 
_
John Moyer
Director, IT Operations


On May 29, 2013, at 4:11 AM, Petr Spacek  wrote:

> On 29.5.2013 07:42, John Moyer wrote:
>> Yea I replaced both certs, however, in my troubleshooting I've found more 
>> I'll say symptoms or potential problems, which may stem from this or be 
>> independent from it.
>> 
>> 1. Showing this error message on restarting the service:
>> EXAMPLE-COM...[29/May/2013:05:30:58 +] - SSL alert: 
>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of 
>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 
>> - Peer's certificate issuer has been marked as not trusted by the user.)
>> 
>> 2. This is on an AWS machine, and when I rebooted the internal IP of the 
>> machine changed.  I'm not sure if there are values in the Directory Server 
>> that would have that internal IP in there which would cause a problem.  The 
>> external IP and DNS have stayed the same and I've tried to have all install 
>> values match the external IP or external name for this exact reason.
>> 
>> 3. The named service will no longer start, here are the errors getting put 
>> in the /var/log/messages
>> May 29 05:31:01 ip-10-1-3-5 named[5592]: sizing zone task pool based on 6 
>> zones
>> May 29 05:31:01 ip-10-1-3-5 named[5592]: /etc/named.conf:12: no forwarders 
>> seen; disabling forwarding
>> May 29 05:31:01 ip-10-1-3-5 named[5592]: set up managed keys zone for view 
>> _default, file 'dynamic/managed-keys.bind'
>>  May 29 05:31:19 ip-10-1-3-5 named[5592]: Failed to init credentials (Cannot 
>> contact any KDC for realm 'EXAMPLE.COM')
>>  May 29 05:31:19 ip-10-1-3-5 named[5592]: loading configuration: failure May 
>> 29 05:31:19 ip-10-1-3-5 named[5592]: exiting (due to fatal error)
>> 
>> Any help in a right direction or theory to a right direction would be much 
>> appreciated!
> Problems 2 and 3 might be caused by incorrect IP address in /etc/hosts and 
> IPA DNS. Please correct content of /etc/hosts, start IPA and then correct IP 
> addresses in IPA DNS.
> 
> -- 
> Petr^2 Spacek
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Dennis]

On 05/29/2013 01:42 AM, John Moyer wrote:

Yea I replaced both certs, however, in my troubleshooting I've found
more I'll say symptoms or potential problems, which may stem from
this or be independent from it.

1. Showing this error message on restarting the service:
EXAMPLE-COM...[29/May/2013:05:30:58 +] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime
error -8172 - Peer's certificate issuer has been marked as not
trusted by the user.)


The error is saying the CA which signed your new cert is either unknown 
or untrusted. Trusted CA's must be in the NSS database which is being 
referenced, which in this case I believe is /etc/httpd/alias.


By default we don't add other root CA's to this database so you'll have 
to add it. To see what is in the database do this:


sudo certutil -d /etc/httpd/alias -L -h internal

FWIW the "-h internal" means to also examine any preloaded CA's that may 
have been added with modutil.


If CA the signed your cert is one of the standard trusted ones you can 
add the entire set of trusted CA's with modutil


% sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias

But that's a big hammer, you might be better off just manually just 
adding the CA that signed your cert and adding trust for it. Examples 
can be found here:


http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Petr Spacek]

On 29.5.2013 07:42, John Moyer wrote:

Yea I replaced both certs, however, in my troubleshooting I've found more I'll 
say symptoms or potential problems, which may stem from this or be independent 
from it.

1. Showing this error message on restarting the service:
 EXAMPLE-COM...[29/May/2013:05:30:58 +] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's 
certificate issuer has been marked as not trusted by the user.)

2. This is on an AWS machine, and when I rebooted the internal IP of the 
machine changed.  I'm not sure if there are values in the Directory Server that 
would have that internal IP in there which would cause a problem.  The external 
IP and DNS have stayed the same and I've tried to have all install values match 
the external IP or external name for this exact reason.

3. The named service will no longer start, here are the errors getting put in 
the /var/log/messages
May 29 05:31:01 ip-10-1-3-5 named[5592]: sizing zone task pool based on 6 zones
May 29 05:31:01 ip-10-1-3-5 named[5592]: /etc/named.conf:12: no forwarders 
seen; disabling forwarding
May 29 05:31:01 ip-10-1-3-5 named[5592]: set up managed keys zone for view 
_default, file 'dynamic/managed-keys.bind'
  May 29 05:31:19 ip-10-1-3-5 named[5592]: Failed to init credentials (Cannot 
contact any KDC for realm 'EXAMPLE.COM')
  May 29 05:31:19 ip-10-1-3-5 named[5592]: loading configuration: failure May 
29 05:31:19 ip-10-1-3-5 named[5592]: exiting (due to fatal error)

Any help in a right direction or theory to a right direction would be much 
appreciated!
Problems 2 and 3 might be caused by incorrect IP address in /etc/hosts and IPA 
DNS. Please correct content of /etc/hosts, start IPA and then correct IP 
addresses in IPA DNS.


--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

Yea I replaced both certs, however, in my troubleshooting I've found more I'll 
say symptoms or potential problems, which may stem from this or be independent 
from it.  

1. Showing this error message on restarting the service: 
EXAMPLE-COM...[29/May/2013:05:30:58 +] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's 
certificate issuer has been marked as not trusted by the user.)

2. This is on an AWS machine, and when I rebooted the internal IP of the 
machine changed.  I'm not sure if there are values in the Directory Server that 
would have that internal IP in there which would cause a problem.  The external 
IP and DNS have stayed the same and I've tried to have all install values match 
the external IP or external name for this exact reason. 

3. The named service will no longer start, here are the errors getting put in 
the /var/log/messages
May 29 05:31:01 ip-10-1-3-5 named[5592]: sizing zone task pool based on 6 zones
May 29 05:31:01 ip-10-1-3-5 named[5592]: /etc/named.conf:12: no forwarders 
seen; disabling forwarding 
May 29 05:31:01 ip-10-1-3-5 named[5592]: set up managed keys zone for view 
_default, file 'dynamic/managed-keys.bind' 
 May 29 05:31:19 ip-10-1-3-5 named[5592]: Failed to init credentials (Cannot 
contact any KDC for realm 'EXAMPLE.COM') 
 May 29 05:31:19 ip-10-1-3-5 named[5592]: loading configuration: failure May 29 
05:31:19 ip-10-1-3-5 named[5592]: exiting (due to fatal error)

Any help in a right direction or theory to a right direction would be much 
appreciated! 

Thanks, 
_
John Moyer
Director, IT Operations


On May 24, 2013, at 4:17 PM, Rob Crittenden  wrote:

> John Moyer wrote:
>> So I did that, and it executed perfectly (went back and checked that it did 
>> indeed replace the value as expected).  I got on the machine I was trying to 
>> add and got this:
>> 
>> root@ ~]# ipa-client-install --domain=example.com 
>> --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>> Hostname: blah.example.com
>> Realm: EXAMPLE.COM
>> DNS Domain: example.com
>> IPA Server: server.example.com
>> BaseDN: dc=example,dc=com
>> 
>> Synchronizing time with KDC...
>> The CA cert available from the IPA server does not match the
>> local certificate available at /etc/ipa/ca.crt
>> Existing CA cert:
>> Subject: CN=Certificate Authority,O=EXAMPLE.COM
>> Issuer:  CN=Certificate Authority,O=EXAMPLE.COM
>> Valid From:  Wed Mar 02 18:52:05 2013 UTC
>> Valid Until: Sun Mar 02 18:52:05 2033 UTC
>> 
>> Retrieved CA cert:
>> Subject: CN=*.example.com,OU=Domain Control Validated,O=*.example.com
>> Issuer:  serialNumber=07969287,CN=Go Daddy Secure Certification 
>> Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, 
>> Inc.",L=Scottsdale,ST=Arizona,C=US
>> Valid From:  Thu Dec 01 14:57:49 2011 UTC
>> Valid Until: Sun Dec 01 14:57:49 2013 UTC
>> 
>> Cannot obtain CA certificate
>> 'ldap://server.example.com' doesn't have a certificate.
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>> 
>> 
>> Then I tried to change the local machine's /etc/ipa/ca.crt to match the 
>> server.  I then got this:
> 
> Next time you can just remove /etc/ipa/ca.crt. The client will fetch an 
> updated one. This is fixed upstream.
> 
>> [root@]# ipa-client-install --domain=example.com --server=server.example.com 
>> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U
>> Hostname: blah.example.com
>> Realm: EXAMPLE.COM
>> DNS Domain: example.com
>> IPA Server: server.example.com
>> BaseDN: dc=example,dc=com
>> 
>> Synchronizing time with KDC...
>> Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
>> Peer certificate cannot be authenticated with known CA certificates
>> 
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
> 
> You replace the web server cert as well, right? And restarted Apache?
> 
> rob
> 
>> 
>> 
>> Thanks,
>> _
>> John Moyer
>> Director, IT Operations
>> 
>> 
>> On May 24, 2013, at 3:11 PM, Rob Crittenden  wrote:
>> 
>>> John Moyer wrote:
 So unfortunately a rebuild would be less than optimal for me, lots of 
 servers and users.  So I've tried Dmitri's idea of ldapi and I got the 
 access to LDAP now, however I may be going about this entire thing wrong.  
  I created an LDIF file that looks like this:
 
 dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
changetype: modify
replace: cacert
cacert:  NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH
 
 Then I ran the following:
 
 ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D 
 "cn=Directory Manager" -W -f /root/change-settings.ldif
 
 and I get the follow

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Rob Crittenden]

John Moyer wrote:

So I did that, and it executed perfectly (went back and checked that it did 
indeed replace the value as expected).  I got on the machine I was trying to 
add and got this:

root@ ~]# ipa-client-install --domain=example.com --server=server.example.com 
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: blah.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
The CA cert available from the IPA server does not match the
local certificate available at /etc/ipa/ca.crt
Existing CA cert:
 Subject: CN=Certificate Authority,O=EXAMPLE.COM
 Issuer:  CN=Certificate Authority,O=EXAMPLE.COM
 Valid From:  Wed Mar 02 18:52:05 2013 UTC
 Valid Until: Sun Mar 02 18:52:05 2033 UTC

Retrieved CA cert:
 Subject: CN=*.example.com,OU=Domain Control Validated,O=*.example.com
 Issuer:  serialNumber=07969287,CN=Go Daddy Secure Certification 
Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, 
Inc.",L=Scottsdale,ST=Arizona,C=US
 Valid From:  Thu Dec 01 14:57:49 2011 UTC
 Valid Until: Sun Dec 01 14:57:49 2013 UTC

Cannot obtain CA certificate
'ldap://server.example.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.


Then I tried to change the local machine's /etc/ipa/ca.crt to match the server. 
 I then got this:


Next time you can just remove /etc/ipa/ca.crt. The client will fetch an 
updated one. This is fixed upstream.



[root@]# ipa-client-install --domain=example.com --server=server.example.com 
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: blah.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.


You replace the web server cert as well, right? And restarted Apache?

rob




Thanks,
_
John Moyer
Director, IT Operations


On May 24, 2013, at 3:11 PM, Rob Crittenden  wrote:


John Moyer wrote:

So unfortunately a rebuild would be less than optimal for me, lots of servers 
and users.  So I've tried Dmitri's idea of ldapi and I got the access to LDAP 
now, however I may be going about this entire thing wrong.   I created an LDIF 
file that looks like this:

dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
changetype: modify
replace: cacert
cacert:  NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH

Then I ran the following:

ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D "cn=Directory 
Manager" -W -f /root/change-settings.ldif

and I get the following error:

Enter LDAP Password:
modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com"
ldap_modify: Object class violation (65)
additional info: attribute "cacert" not allowed



The attribute you want is caCertificate. What you need to do is convert your CA 
cert from PEM format to DER:

openssl x509 -in /etc/ipa/ca.crt -out /tmp/ca.der -outform DER

Then use this ldif:

dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
changetype: modify
replace: cacertificate;binary
cacertificate;binary:< file:///tmp/ca.der

That should do it.

rob




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

So I did that, and it executed perfectly (went back and checked that it did 
indeed replace the value as expected).  I got on the machine I was trying to 
add and got this: 

root@ ~]# ipa-client-install --domain=example.com --server=server.example.com 
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: blah.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
The CA cert available from the IPA server does not match the
local certificate available at /etc/ipa/ca.crt
Existing CA cert:
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer:  CN=Certificate Authority,O=EXAMPLE.COM
Valid From:  Wed Mar 02 18:52:05 2013 UTC
Valid Until: Sun Mar 02 18:52:05 2033 UTC

Retrieved CA cert:
Subject: CN=*.example.com,OU=Domain Control Validated,O=*.example.com
Issuer:  serialNumber=07969287,CN=Go Daddy Secure Certification 
Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, 
Inc.",L=Scottsdale,ST=Arizona,C=US
Valid From:  Thu Dec 01 14:57:49 2011 UTC
Valid Until: Sun Dec 01 14:57:49 2013 UTC

Cannot obtain CA certificate
'ldap://server.example.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.


Then I tried to change the local machine's /etc/ipa/ca.crt to match the server. 
 I then got this: 

[root@]# ipa-client-install --domain=example.com --server=server.example.com 
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: blah.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.


Thanks, 
_
John Moyer
Director, IT Operations


On May 24, 2013, at 3:11 PM, Rob Crittenden  wrote:

> John Moyer wrote:
>> So unfortunately a rebuild would be less than optimal for me, lots of 
>> servers and users.  So I've tried Dmitri's idea of ldapi and I got the 
>> access to LDAP now, however I may be going about this entire thing wrong.   
>> I created an LDIF file that looks like this:
>> 
>> dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
>>  changetype: modify
>>  replace: cacert
>>  cacert:  NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH
>> 
>> Then I ran the following:
>> 
>> ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D 
>> "cn=Directory Manager" -W -f /root/change-settings.ldif
>> 
>> and I get the following error:
>> 
>> Enter LDAP Password:
>> modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com"
>> ldap_modify: Object class violation (65)
>>  additional info: attribute "cacert" not allowed
>> 
> 
> The attribute you want is caCertificate. What you need to do is convert your 
> CA cert from PEM format to DER:
> 
> openssl x509 -in /etc/ipa/ca.crt -out /tmp/ca.der -outform DER
> 
> Then use this ldif:
> 
> dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
> changetype: modify
> replace: cacertificate;binary
> cacertificate;binary:< file:///tmp/ca.der
> 
> That should do it.
> 
> rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Rob Crittenden]

John Moyer wrote:

So unfortunately a rebuild would be less than optimal for me, lots of servers 
and users.  So I've tried Dmitri's idea of ldapi and I got the access to LDAP 
now, however I may be going about this entire thing wrong.   I created an LDIF 
file that looks like this:

dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
changetype: modify
replace: cacert
cacert:  NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH

Then I ran the following:

ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D "cn=Directory 
Manager" -W -f /root/change-settings.ldif

and I get the following error:

Enter LDAP Password:
modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com"
ldap_modify: Object class violation (65)
additional info: attribute "cacert" not allowed



The attribute you want is caCertificate. What you need to do is convert 
your CA cert from PEM format to DER:


openssl x509 -in /etc/ipa/ca.crt -out /tmp/ca.der -outform DER

Then use this ldif:

dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
changetype: modify
replace: cacertificate;binary
cacertificate;binary:< file:///tmp/ca.der

That should do it.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

So unfortunately a rebuild would be less than optimal for me, lots of servers 
and users.  So I've tried Dmitri's idea of ldapi and I got the access to LDAP 
now, however I may be going about this entire thing wrong.   I created an LDIF 
file that looks like this: 

dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
changetype: modify
replace: cacert
cacert:  NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH

Then I ran the following: 

ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D 
"cn=Directory Manager" -W -f /root/change-settings.ldif

and I get the following error: 

Enter LDAP Password:
modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com"
ldap_modify: Object class violation (65)
additional info: attribute "cacert" not allowed


Anyone have any ideas? 




Thanks, 
_
John Moyer
Director, IT Operations


On May 24, 2013, at 3:53 AM, Martin Kosek  wrote:

> On 05/23/2013 07:37 PM, John Moyer wrote:
>> So I found this page and followed it.  The http daemon works great (no longer
>> complains about not being the cert for my URL.  However, now I can't bind
>> anymore servers to my IPA server.   The current servers enrolled before I did
>> this work great (and I can login using my IPA credentials).   However, I just
>> can't add anymore.   Does anyone have any ideas?  I tried removing the certs
>> and that made it so I can't start httpd (so I put the cert back). 
>> 
>> 
>> http://freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>> 
>> Thanks, 
>> _
>> John Moyer
>> 
> 
> Hi John,
> 
> I see that Dmitri and Rob already try to help you with this configuration. I
> would just like to note that the page you refer to may not be fully up to date
> (was not touched since 2010). I added instructions to revisit the page in the
> ticket that Rob created:
> 
> https://fedorahosted.org/freeipa/ticket/3641
> 
> As for your issue, I do not know if you are still installing a new server or
> updating a running one. If installing a new one, you may be interested in
> FreeIPA version 3.2.0 which is being introduced in Fedora 19 and which
> revisited the way we install without CA (i.e. with custom ldap/http certs).
> This is a design page with more information:
> 
> http://www.freeipa.org/page/V3/CA-less_install
> 
> Martin


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Martin Kosek]

On 05/23/2013 07:37 PM, John Moyer wrote:
> So I found this page and followed it.  The http daemon works great (no longer
> complains about not being the cert for my URL.  However, now I can't bind
> anymore servers to my IPA server.   The current servers enrolled before I did
> this work great (and I can login using my IPA credentials).   However, I just
> can't add anymore.   Does anyone have any ideas?  I tried removing the certs
> and that made it so I can't start httpd (so I put the cert back). 
> 
> 
> http://freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
> 
> Thanks, 
> _
> John Moyer
> 

Hi John,

I see that Dmitri and Rob already try to help you with this configuration. I
would just like to note that the page you refer to may not be fully up to date
(was not touched since 2010). I added instructions to revisit the page in the
ticket that Rob created:

https://fedorahosted.org/freeipa/ticket/3641

As for your issue, I do not know if you are still installing a new server or
updating a running one. If installing a new one, you may be interested in
FreeIPA version 3.2.0 which is being introduced in Fedora 19 and which
revisited the way we install without CA (i.e. with custom ldap/http certs).
This is a design page with more information:

http://www.freeipa.org/page/V3/CA-less_install

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Dmitri Pal]

On 05/23/2013 05:10 PM, John Moyer wrote:
> Rob, 
>
>   I tried what you suggested on the client, and that did not work.   I 
> copied my cert over those two files you suggested that was easy.  However, is 
> there a more manually way to change that LDAP setting you are talking about.  
> The LDAP server is not letting me in because of the cert error.   Like I see 
> some settings in /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif can I manipulate 
> those to match the new SSL cert nickname that is used in NSS for the Godaddy 
> cert? or to turn off SSL so I can manipulate it? 

I think if you run ldapmodify as a directory manager on the server
machine using ldapi you would be able to bypass the cert check.

>
>
>
> Thanks, 
> _
> John Moyer
> Director, IT Operations
> Digital Reasoning Systems, Inc
>
> On May 23, 2013, at 4:20 PM, Rob Crittenden  wrote:
>
>> John Moyer wrote:
>>> Dmitri,
>>>
>>> Here are the corresponding answers, thanks for the quick response.
>>>
>>>
>>> 1. ipa-client-3.0.0-26.el6_4.2.x86_64
>>> 2.
>>> [root@ ~]# ipa-client-install --domain=digitalreasoning.com
>>>  --server=ipa1.corp.digitalreasoning.com
>>>  --realm=EXAMPLE.COM
>>>  -p builduser -w "BLAH" -U
>>> Hostname: client.example.com 
>>> Realm: EXAMPLE.COM 
>>> DNS Domain: example.com 
>>> IPA Server: server.example.com 
>>> BaseDN: dc=example,dc=com
>>>
>>> Synchronizing time with KDC...
>>> Joining realm failed: libcurl failed to execute the HTTP POST
>>> transaction.  Peer certificate cannot be authenticated with known CA
>>> certificates
>>>
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>>
>>> 3.
>>> 2013-05-23T17:45:16Z DEBUG args=kinit buildu...@example.com
>>> 
>>> 2013-05-23T17:45:16Z DEBUG stdout=Password for buildu...@example.com
>>> :
>>>
>>> 2013-05-23T17:45:16Z DEBUG stderr=
>>> 2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from
>>> ldap://server.example.com
>>> 2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are
>>> identical
>>> 2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com
>>>  -b dc=example,dc=com
>>> 2013-05-23T17:45:16Z DEBUG stdout=
>>> 2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP
>>> POST transaction.  Peer certificate cannot be authenticated with known
>>> CA certificates
>>>
>>> 2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to
>>> execute the HTTP POST transaction.  Peer certificate cannot be
>>> authenticated with known CA certificates
>>>
>>> 2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
>>> 2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.
>> You need to put the Go Daddy CA cert into LDAP in 
>> cn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificate attribute. 
>> And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.
>>
>> It looks like this isn't being done automatically by ipa-server-certinstall. 
>> I opened https://fedorahosted.org/freeipa/ticket/3641
>>
>> A quick fix would be to try this on the client machine before trying 
>> enrollment:
>>
>> # cd /etc/pki/nssdb/
>> # ln -s /usr/lib64/nss/libnssckbi.so .
>>
>> (or lib if a 32-bit machine)
>>
>> That will add the global bundle to the NSS database. Then re-try the 
>> enrollment, it may work.
>>
>> rob


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

Rob, 

I tried what you suggested on the client, and that did not work.   I 
copied my cert over those two files you suggested that was easy.  However, is 
there a more manually way to change that LDAP setting you are talking about.  
The LDAP server is not letting me in because of the cert error.   Like I see 
some settings in /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif can I manipulate those 
to match the new SSL cert nickname that is used in NSS for the Godaddy cert? or 
to turn off SSL so I can manipulate it? 



Thanks, 
_
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc

On May 23, 2013, at 4:20 PM, Rob Crittenden  wrote:

> John Moyer wrote:
>> Dmitri,
>> 
>> Here are the corresponding answers, thanks for the quick response.
>> 
>> 
>> 1. ipa-client-3.0.0-26.el6_4.2.x86_64
>> 2.
>> [root@ ~]# ipa-client-install --domain=digitalreasoning.com
>>  --server=ipa1.corp.digitalreasoning.com
>>  --realm=EXAMPLE.COM
>>  -p builduser -w "BLAH" -U
>> Hostname: client.example.com 
>> Realm: EXAMPLE.COM 
>> DNS Domain: example.com 
>> IPA Server: server.example.com 
>> BaseDN: dc=example,dc=com
>> 
>> Synchronizing time with KDC...
>> Joining realm failed: libcurl failed to execute the HTTP POST
>> transaction.  Peer certificate cannot be authenticated with known CA
>> certificates
>> 
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>> 
>> 3.
>> 2013-05-23T17:45:16Z DEBUG args=kinit buildu...@example.com
>> 
>> 2013-05-23T17:45:16Z DEBUG stdout=Password for buildu...@example.com
>> :
>> 
>> 2013-05-23T17:45:16Z DEBUG stderr=
>> 2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from
>> ldap://server.example.com
>> 2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are
>> identical
>> 2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com
>>  -b dc=example,dc=com
>> 2013-05-23T17:45:16Z DEBUG stdout=
>> 2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP
>> POST transaction.  Peer certificate cannot be authenticated with known
>> CA certificates
>> 
>> 2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to
>> execute the HTTP POST transaction.  Peer certificate cannot be
>> authenticated with known CA certificates
>> 
>> 2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
>> 2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.
> 
> You need to put the Go Daddy CA cert into LDAP in 
> cn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificate attribute. 
> And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.
> 
> It looks like this isn't being done automatically by ipa-server-certinstall. 
> I opened https://fedorahosted.org/freeipa/ticket/3641
> 
> A quick fix would be to try this on the client machine before trying 
> enrollment:
> 
> # cd /etc/pki/nssdb/
> # ln -s /usr/lib64/nss/libnssckbi.so .
> 
> (or lib if a 32-bit machine)
> 
> That will add the global bundle to the NSS database. Then re-try the 
> enrollment, it may work.
> 
> rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Rob Crittenden]

John Moyer wrote:

Dmitri,

Here are the corresponding answers, thanks for the quick response.


1. ipa-client-3.0.0-26.el6_4.2.x86_64
2.
[root@ ~]# ipa-client-install --domain=digitalreasoning.com
 --server=ipa1.corp.digitalreasoning.com
 --realm=EXAMPLE.COM
 -p builduser -w "BLAH" -U
Hostname: client.example.com 
Realm: EXAMPLE.COM 
DNS Domain: example.com 
IPA Server: server.example.com 
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST
transaction.  Peer certificate cannot be authenticated with known CA
certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

3.
2013-05-23T17:45:16Z DEBUG args=kinit buildu...@example.com

2013-05-23T17:45:16Z DEBUG stdout=Password for buildu...@example.com
:

2013-05-23T17:45:16Z DEBUG stderr=
2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from
ldap://server.example.com
2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are
identical
2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com
 -b dc=example,dc=com
2013-05-23T17:45:16Z DEBUG stdout=
2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP
POST transaction.  Peer certificate cannot be authenticated with known
CA certificates

2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to
execute the HTTP POST transaction.  Peer certificate cannot be
authenticated with known CA certificates

2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.


You need to put the Go Daddy CA cert into LDAP in 
cn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificate 
attribute. And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.


It looks like this isn't being done automatically by 
ipa-server-certinstall. I opened 
https://fedorahosted.org/freeipa/ticket/3641


A quick fix would be to try this on the client machine before trying 
enrollment:


# cd /etc/pki/nssdb/
# ln -s /usr/lib64/nss/libnssckbi.so .

(or lib if a 32-bit machine)

That will add the global bundle to the NSS database. Then re-try the 
enrollment, it may work.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

Dmitri, 

Here are the corresponding answers, thanks for the quick response. 


1. ipa-client-3.0.0-26.el6_4.2.x86_64
2. 
[root@ ~]# ipa-client-install --domain=digitalreasoning.com 
--server=ipa1.corp.digitalreasoning.com --realm=EXAMPLE.COM -p builduser -w 
"BLAH" -U
Hostname: client.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.  
Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

3. 
2013-05-23T17:45:16Z DEBUG args=kinit buildu...@example.com
2013-05-23T17:45:16Z DEBUG stdout=Password for buildu...@example.com:

2013-05-23T17:45:16Z DEBUG stderr=
2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from 
ldap://server.example.com
2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are identical
2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com -b 
dc=example,dc=com
2013-05-23T17:45:16Z DEBUG stdout=
2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP POST 
transaction.  Peer certificate cannot be authenticated with known CA 
certificates

2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to execute the 
HTTP POST transaction.  Peer certificate cannot be authenticated with known CA 
certificates

2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.

Thanks, 
_
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
john.mo...@digitalreasoning.com
Office: 703.678.2311
Mobile: 240.460.0023
Fax:703.678.2312
www.digitalreasoning.com

On May 23, 2013, at 2:50 PM, Dmitri Pal  wrote:

> On 05/23/2013 01:37 PM, John Moyer wrote:
>> 
>> So I found this page and followed it.  The http daemon works great (no 
>> longer complains about not being the cert for my URL.  However, now I can't 
>> bind anymore servers to my IPA server.   The current servers enrolled before 
>> I did this work great (and I can login using my IPA credentials).   However, 
>> I just can't add anymore.   Does anyone have any ideas?  I tried removing 
>> the certs and that made it so I can't start httpd (so I put the cert back). 
>> 
>> 
>> http://freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>> 
>> Thanks, 
>> _
>> John Moyer
>> 
>> 
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> We need more info:
> 
> 1) What version of the client?
> 2) What is the output of the ipa-client-install?
> 3) What the client install log contains?
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[Dmitri Pal]

On 05/23/2013 01:37 PM, John Moyer wrote:
> So I found this page and followed it.  The http daemon works great (no
> longer complains about not being the cert for my URL.  However, now I
> can't bind anymore servers to my IPA server.   The current servers
> enrolled before I did this work great (and I can login using my IPA
> credentials).   However, I just can't add anymore.   Does anyone have
> any ideas?  I tried removing the certs and that made it so I can't
> start httpd (so I put the cert back). 
>
>
> http://freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> Thanks, 
> _
> John Moyer
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

We need more info:

1) What version of the client?
2) What is the output of the ipa-client-install?
3) What the client install log contains?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

[John Moyer]

So I found this page and followed it.  The http daemon works great (no longer 
complains about not being the cert for my URL.  However, now I can't bind 
anymore servers to my IPA server.   The current servers enrolled before I did 
this work great (and I can login using my IPA credentials).   However, I just 
can't add anymore.   Does anyone have any ideas?  I tried removing the certs 
and that made it so I can't start httpd (so I put the cert back). 


http://freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

Thanks, 
_
John Moyer
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users