Rob, Do you mean doing this? If not let me know.
[root@pki]# ls -la total 32 drwxr-xr-x 8 root root 4096 Jun 10 20:23 . drwxr-xr-x 90 root root 4096 Jun 10 18:05 .. drwxr-xr-x 6 root root 4096 Mar 4 22:22 CA drwxr-xr-x 2 root root 4096 Jul 11 2012 java lrwxrwxrwx 1 root root 24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so drwxr-xr-x 2 root root 4096 Jun 10 18:05 nssdb.orig drwxr-xr-x 2 root root 4096 Mar 21 15:19 rpm-gpg drwx------ 2 root root 4096 Feb 22 05:07 rsyslog drwxr-xr-x 5 root root 4096 Mar 21 15:18 tls After I did that I tried to enroll this system and got the same error. The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the server which is the CA Cert gotten from godaddy. You also had me change this into a der version of the Cert (using openssl) and jam that into the Directory server. Thanks, _____________________________________________________ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Jun 10, 2013, at 4:19 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > John Moyer wrote: >> Rob, >> >> I think you had me look at that already. This is the output from >> certutil on that: >> >> [root@ ~]# certutil -d /etc/httpd/alias -L >> >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> MyIPA u,u,u >> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, >> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,, > > What certificate does the client have in /etc/ipa/ca.crt? Is it either one of > these? > > Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to > enrollment? > > rob > >> >> >> >> Dmitri, >> >> This is the same issue I've been having for a while, other things were >> wrong before all of them stemmed from putting in the Godaddy signed cert. >> >> Thanks, >> _____________________________________________________ >> John Moyer >> Director, IT Operations >> >> On Jun 10, 2013, at 2:30 PM, Dmitri Pal <d...@redhat.com> wrote: >> >>> On 06/10/2013 02:17 PM, John Moyer wrote: >>>> I don't know if this helps, but this is the log I'm getting from the IPA >>>> server's apache error log. >>>> >>>> [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not >>>> recognize and trust the CA that issued your certificate >>> >>> Is this the same issue we are discussing on the devel list? >>> The intermediate CA case? >>> >>>> >>>> >>>> Thanks, >>>> _____________________________________________________ >>>> John Moyer >>>> Director, IT Operations >>>> On Jun 10, 2013, at 9:52 AM, John Moyer <john.mo...@digitalreasoning.com> >>>> wrote: >>>> >>>>> Rob, >>>>> >>>>> Sorry for the late response I tried the following >>>>> >>>>> [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy >>>>> Class 2 Certification Authority - ValiCert, Inc." -t CT,, >>>>> [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy >>>>> Secure Certification Authority - The Go Daddy Group, Inc." -t CT,, >>>>> [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA >>>>> certutil: certificate is valid >>>>> >>>>> After this I tried to add a machine and got the same error: >>>>> >>>>> [root@~]# ipa-client-install --domain=example.com >>>>> --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U >>>>> Hostname: server.example.com >>>>> Realm: EXAMPLE.COM >>>>> DNS Domain: example.com >>>>> IPA Server: server.example.com >>>>> BaseDN: dc=example,dc=com >>>>> >>>>> Synchronizing time with KDC... >>>>> Joining realm failed: libcurl failed to execute the HTTP POST >>>>> transaction. Peer certificate cannot be authenticated with known CA >>>>> certificates >>>>> >>>>> Installation failed. Rolling back changes. >>>>> IPA client is not configured on this system. >>>>> >>>>> Any additional suggestions? >>>>> >>>>> >>>>> Thanks, >>>>> _____________________________________________________ >>>>> John Moyer >>>>> Director, IT Operations >>>>> On May 29, 2013, at 2:09 PM, Rob Crittenden <rcrit...@redhat.com> wrote: >>>>> >>>>>> John Moyer wrote: >>>>>>> Rob, >>>>>>> >>>>>>> MyIPA I believe was installed by IPA. I did everything you >>>>>>> suggested, the below is what it looks like now. >>>>>>> >>>>>>> >>>>>>> -------- >>>>>>> certutil -d /etc/httpd/alias -L -h internal >>>>>>> >>>>>>> Certificate Nickname Trust >>>>>>> Attributes >>>>>>> >>>>>>> SSL,S/MIME,JAR/XPI >>>>>>> >>>>>>> MyIPA u,u,u >>>>>>> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, >>>>>>> Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,, >>>>>>> >>>>>>> ---------- >>>>>>> >>>>>>> I'm still getting the following when I try to restart the dirsrv: >>>>>>> >>>>>>> /etc/init.d/dirsrv restart >>>>>>> Shutting down dirsrv: >>>>>>> EXAMPLE-COM... [ OK ] >>>>>>> PKI-IPA... [ OK ] >>>>>>> Starting dirsrv: >>>>>>> EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert: >>>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of >>>>>>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error >>>>>>> -8172 - Peer's certificate issuer has been marked as not trusted by the >>>>>>> user.) >>>>>>> [ OK ] >>>>>>> PKI-IPA... [ OK ] >>>>>> You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as >>>>>> well. >>>>>> >>>>>>> I'm also getting the following when I try to add a server to IPA: >>>>>>> >>>>>>> ipa-client-install --domain=example.com --server=server.example.com >>>>>>> --realm=EXAMPLE.COM -p builduser -w "BLAH" -U >>>>>>> Hostname: ip-10-133-38-119.ec2.internal >>>>>>> Realm: EXAMPLE.COM >>>>>>> DNS Domain: example.com >>>>>>> IPA Server: server.example.com >>>>>>> BaseDN: dc=example,dc=com >>>>>>> >>>>>>> Synchronizing time with KDC... >>>>>>> Joining realm failed: libcurl failed to execute the HTTP POST >>>>>>> transaction. Peer certificate cannot be authenticated with known CA >>>>>>> certificates >>>>>>> >>>>>>> Installation failed. Rolling back changes. >>>>>>> IPA client is not configured on this system. >>>>>> The client installer downloads the CA cert from LDAP, so make sure you >>>>>> have the GoDaddy CA in LDAP. >>>>>> >>>>>> rob >>>>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users