John Moyer wrote:
Dmitri,
Here are the corresponding answers, thanks for the quick response.
1. ipa-client-3.0.0-26.el6_4.2.x86_64
2.
[root@ ~]# ipa-client-install --domain=digitalreasoning.com
<http://digitalreasoning.com> --server=ipa1.corp.digitalreasoning.com
<http://ipa1.corp.digitalreasoning.com> --realm=EXAMPLE.COM
<http://EXAMPLE.COM> -p builduser -w "BLAH" -U
Hostname: client.example.com <http://client.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM>
DNS Domain: example.com <http://example.com>
IPA Server: server.example.com <http://server.example.com>
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST
transaction. Peer certificate cannot be authenticated with known CA
certificates
Installation failed. Rolling back changes.
IPA client is not configured on this system.
3.
2013-05-23T17:45:16Z DEBUG args=kinit buildu...@example.com
<mailto:buildu...@example.com>
2013-05-23T17:45:16Z DEBUG stdout=Password for buildu...@example.com
<mailto:buildu...@example.com>:
2013-05-23T17:45:16Z DEBUG stderr=
2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from
ldap://server.example.com
2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are
identical
2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com
<http://server.example.com> -b dc=example,dc=com
2013-05-23T17:45:16Z DEBUG stdout=
2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP
POST transaction. Peer certificate cannot be authenticated with known
CA certificates
2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to
execute the HTTP POST transaction. Peer certificate cannot be
authenticated with known CA certificates
2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.
You need to put the Go Daddy CA cert into LDAP in
cn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificate
attribute. And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.
It looks like this isn't being done automatically by
ipa-server-certinstall. I opened
https://fedorahosted.org/freeipa/ticket/3641
A quick fix would be to try this on the client machine before trying
enrollment:
# cd /etc/pki/nssdb/
# ln -s /usr/lib64/nss/libnssckbi.so .
(or lib if a 32-bit machine)
That will add the global bundle to the NSS database. Then re-try the
enrollment, it may work.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users