Rob, I think you had me look at that already. This is the output from certutil on that:
[root@ ~]# certutil -d /etc/httpd/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI MyIPA u,u,u Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,, Dmitri, This is the same issue I've been having for a while, other things were wrong before all of them stemmed from putting in the Godaddy signed cert. Thanks, _____________________________________________________ John Moyer Director, IT Operations On Jun 10, 2013, at 2:30 PM, Dmitri Pal <d...@redhat.com> wrote: > On 06/10/2013 02:17 PM, John Moyer wrote: >> I don't know if this helps, but this is the log I'm getting from the IPA >> server's apache error log. >> >> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not >> recognize and trust the CA that issued your certificate > > Is this the same issue we are discussing on the devel list? > The intermediate CA case? > >> >> >> Thanks, >> _____________________________________________________ >> John Moyer >> Director, IT Operations >> On Jun 10, 2013, at 9:52 AM, John Moyer <john.mo...@digitalreasoning.com> >> wrote: >> >>> Rob, >>> >>> Sorry for the late response I tried the following >>> >>> [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy >>> Class 2 Certification Authority - ValiCert, Inc." -t CT,, >>> [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy >>> Secure Certification Authority - The Go Daddy Group, Inc." -t CT,, >>> [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA >>> certutil: certificate is valid >>> >>> After this I tried to add a machine and got the same error: >>> >>> [root@~]# ipa-client-install --domain=example.com >>> --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U >>> Hostname: server.example.com >>> Realm: EXAMPLE.COM >>> DNS Domain: example.com >>> IPA Server: server.example.com >>> BaseDN: dc=example,dc=com >>> >>> Synchronizing time with KDC... >>> Joining realm failed: libcurl failed to execute the HTTP POST transaction. >>> Peer certificate cannot be authenticated with known CA certificates >>> >>> Installation failed. Rolling back changes. >>> IPA client is not configured on this system. >>> >>> Any additional suggestions? >>> >>> >>> Thanks, >>> _____________________________________________________ >>> John Moyer >>> Director, IT Operations >>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcrit...@redhat.com> wrote: >>> >>>> John Moyer wrote: >>>>> Rob, >>>>> >>>>> MyIPA I believe was installed by IPA. I did everything you suggested, >>>>> the below is what it looks like now. >>>>> >>>>> >>>>> -------- >>>>> certutil -d /etc/httpd/alias -L -h internal >>>>> >>>>> Certificate Nickname Trust >>>>> Attributes >>>>> >>>>> SSL,S/MIME,JAR/XPI >>>>> >>>>> MyIPA u,u,u >>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, >>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,, >>>>> >>>>> ---------- >>>>> >>>>> I'm still getting the following when I try to restart the dirsrv: >>>>> >>>>> /etc/init.d/dirsrv restart >>>>> Shutting down dirsrv: >>>>> EXAMPLE-COM... [ OK ] >>>>> PKI-IPA... [ OK ] >>>>> Starting dirsrv: >>>>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: >>>>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of >>>>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error >>>>> -8172 - Peer's certificate issuer has been marked as not trusted by the >>>>> user.) >>>>> [ OK ] >>>>> PKI-IPA... [ OK ] >>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as >>>> well. >>>> >>>>> I'm also getting the following when I try to add a server to IPA: >>>>> >>>>> ipa-client-install --domain=example.com --server=server.example.com >>>>> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U >>>>> Hostname: ip-10-133-38-119.ec2.internal >>>>> Realm: EXAMPLE.COM >>>>> DNS Domain: example.com >>>>> IPA Server: server.example.com >>>>> BaseDN: dc=example,dc=com >>>>> >>>>> Synchronizing time with KDC... >>>>> Joining realm failed: libcurl failed to execute the HTTP POST >>>>> transaction. Peer certificate cannot be authenticated with known CA >>>>> certificates >>>>> >>>>> Installation failed. Rolling back changes. >>>>> IPA client is not configured on this system. >>>> The client installer downloads the CA cert from LDAP, so make sure you >>>> have the GoDaddy CA in LDAP. >>>> >>>> rob >>>> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users