Re: [Freeipa-users] exporting ldap certificate
Peter, Did you get this to work, I know this is an old thread, but where did you put those java parameters? I am trying to get GADS to work for my IPA server and think this is my problem. Thanks, _ John Moyer On May 7, 2013, at 4:37 AM, Peter Brown rendhal...@gmail.com wrote: On 7 May 2013 16:50, Martin Kosek mko...@redhat.com wrote: On 05/07/2013 04:51 AM, Peter Brown wrote: On 6 May 2013 17:07, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: I am glad you made it working. Just for the record, CRL and OCSP revocation URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that will make it working again. Thanks for the heads up Martin. I will likely upgrade to 3.2 once Fedora 19 is released. I am going to assume my 3.1 clients will be compatible? Yes, this is a correct assumption. BTW we are just in a process of testing and releasing FreeIPA 3.1.4 bugfixing release for Fedora 18 which will also contain the CRL/OCSP URI fixes (will happen this week). Any help with testing 3.1.4 when it is released is appreciated. Awesome. I shall install them and let you know how I go. Martin More information can be found out in FreeIPA.org wiki: http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs Relevant upstream ticket: https://fedorahosted.org/freeipa/ticket/3552 Martin On 04/29/2013 06:59 AM, Peter Brown wrote: I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin pvikt...@redhat.com mailto:pvikt...@redhat.com mailto:pvikt...@redhat.com mailto:pvikt...@redhat.com wrote: Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] exporting ldap certificate
On 05/07/2013 04:51 AM, Peter Brown wrote: On 6 May 2013 17:07, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: I am glad you made it working. Just for the record, CRL and OCSP revocation URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that will make it working again. Thanks for the heads up Martin. I will likely upgrade to 3.2 once Fedora 19 is released. I am going to assume my 3.1 clients will be compatible? Yes, this is a correct assumption. BTW we are just in a process of testing and releasing FreeIPA 3.1.4 bugfixing release for Fedora 18 which will also contain the CRL/OCSP URI fixes (will happen this week). Any help with testing 3.1.4 when it is released is appreciated. Martin More information can be found out in FreeIPA.org wiki: http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs Relevant upstream ticket: https://fedorahosted.org/freeipa/ticket/3552 Martin On 04/29/2013 06:59 AM, Peter Brown wrote: I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin pvikt...@redhat.com mailto:pvikt...@redhat.com mailto:pvikt...@redhat.com mailto:pvikt...@redhat.com wrote: Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] exporting ldap certificate
On 7 May 2013 16:50, Martin Kosek mko...@redhat.com wrote: On 05/07/2013 04:51 AM, Peter Brown wrote: On 6 May 2013 17:07, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: I am glad you made it working. Just for the record, CRL and OCSP revocation URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that will make it working again. Thanks for the heads up Martin. I will likely upgrade to 3.2 once Fedora 19 is released. I am going to assume my 3.1 clients will be compatible? Yes, this is a correct assumption. BTW we are just in a process of testing and releasing FreeIPA 3.1.4 bugfixing release for Fedora 18 which will also contain the CRL/OCSP URI fixes (will happen this week). Any help with testing 3.1.4 when it is released is appreciated. Awesome. I shall install them and let you know how I go. Martin More information can be found out in FreeIPA.org wiki: http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs Relevant upstream ticket: https://fedorahosted.org/freeipa/ticket/3552 Martin On 04/29/2013 06:59 AM, Peter Brown wrote: I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin pvikt...@redhat.com mailto:pvikt...@redhat.com mailto:pvikt...@redhat.com mailto:pvikt...@redhat.com wrote: Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] exporting ldap certificate
I am glad you made it working. Just for the record, CRL and OCSP revocation URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that will make it working again. More information can be found out in FreeIPA.org wiki: http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs Relevant upstream ticket: https://fedorahosted.org/freeipa/ticket/3552 Martin On 04/29/2013 06:59 AM, Peter Brown wrote: I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin pvikt...@redhat.com mailto:pvikt...@redhat.com wrote: Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] exporting ldap certificate
On 6 May 2013 17:07, Martin Kosek mko...@redhat.com wrote: I am glad you made it working. Just for the record, CRL and OCSP revocation URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that will make it working again. Thanks for the heads up Martin. I will likely upgrade to 3.2 once Fedora 19 is released. I am going to assume my 3.1 clients will be compatible? More information can be found out in FreeIPA.org wiki: http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs Relevant upstream ticket: https://fedorahosted.org/freeipa/ticket/3552 Martin On 04/29/2013 06:59 AM, Peter Brown wrote: I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin pvikt...@redhat.com mailto:pvikt...@redhat.com wrote: Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] exporting ldap certificate
I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin pvikt...@redhat.com wrote: Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE_**NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] exporting ldap certificate
Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE_NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] exporting ldap certificate
Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. I have no idea which certificate that is and I have no idea how to export it. Can someone please tell me how to do this? Thanks in advance. Pete. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
