Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Rob Crittenden Thu, 23 May 2013 13:22:59 -0700

John Moyer wrote:

Dmitri,


Here are the corresponding answers, thanks for the quick response.


1. ipa-client-3.0.0-26.el6_4.2.x86_64
2.
[root@ ~]# ipa-client-install --domain=digitalreasoning.com
<http://digitalreasoning.com> --server=ipa1.corp.digitalreasoning.com
<http://ipa1.corp.digitalreasoning.com> --realm=EXAMPLE.COM
<http://EXAMPLE.COM> -p builduser -w "BLAH" -U
Hostname: client.example.com <http://client.example.com>
Realm: EXAMPLE.COM <http://EXAMPLE.COM>
DNS Domain: example.com <http://example.com>
IPA Server: server.example.com <http://server.example.com>
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST
transaction.  Peer certificate cannot be authenticated with known CA
certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.

3.
2013-05-23T17:45:16Z DEBUG args=kinit buildu...@example.com
<mailto:buildu...@example.com>
2013-05-23T17:45:16Z DEBUG stdout=Password for buildu...@example.com
<mailto:buildu...@example.com>:

2013-05-23T17:45:16Z DEBUG stderr=
2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from
ldap://server.example.com
2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are
identical
2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com
<http://server.example.com> -b dc=example,dc=com
2013-05-23T17:45:16Z DEBUG stdout=
2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP
POST transaction.  Peer certificate cannot be authenticated with known
CA certificates

2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to
execute the HTTP POST transaction.  Peer certificate cannot be
authenticated with known CA certificates

2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes.
2013-05-23T17:45:16Z ERROR IPA client is not configured on this system.

You need to put the Go Daddy CA cert into LDAP incn=cacert,cn=ipa,cn=etc,dc=example,dc=com into the CAcertificateattribute. And in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt.

It looks like this isn't being done automatically byipa-server-certinstall. I openedhttps://fedorahosted.org/freeipa/ticket/3641

A quick fix would be to try this on the client machine before tryingenrollment:


# cd /etc/pki/nssdb/
# ln -s /usr/lib64/nss/libnssckbi.so .

(or lib if a 32-bit machine)

That will add the global bundle to the NSS database. Then re-try theenrollment, it may work.


rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Reply via email to