John Moyer wrote:
Rob,
Do you mean doing this? If not let me know.
[root@pki]# ls -la
total 32
drwxr-xr-x 8 root root 4096 Jun 10 20:23 .
drwxr-xr-x 90 root root 4096 Jun 10 18:05 ..
drwxr-xr-x 6 root root 4096 Mar 4 22:22 CA
drwxr-xr-x 2 root root 4096 Jul 11 2012 java
lrwxrwxrwx 1 root root 24 Jun 10 20:23 nssdb -> /usr/lib64/libnssckbi.so
drwxr-xr-x 2 root root 4096 Jun 10 18:05 nssdb.orig
drwxr-xr-x 2 root root 4096 Mar 21 15:19 rpm-gpg
drwx------ 2 root root 4096 Feb 22 05:07 rsyslog
drwxr-xr-x 5 root root 4096 Mar 21 15:18 tls
No, you need to link the shared library into the nssdb directory. nssdb
should contain 3 db files, cert8, key3 and secmod. This is the common
NSS db that the client uses.
After I did that I tried to enroll this system and got the same error.
The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the
server which is the CA Cert gotten from godaddy. You also had me change this
into a der version of the Cert (using openssl) and jam that into the Directory
server.
Right but which one, there are two.
rob
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
john.mo...@digitalreasoning.com
Office: 703.678.2311
Mobile: 240.460.0023
Fax: 703.678.2312
www.digitalreasoning.com
On Jun 10, 2013, at 4:19 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
John Moyer wrote:
Rob,
I think you had me look at that already. This is the output from
certutil on that:
[root@ ~]# certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
MyIPA u,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
What certificate does the client have in /etc/ipa/ca.crt? Is it either one of
these?
Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to
enrollment?
rob
Dmitri,
This is the same issue I've been having for a while, other things were
wrong before all of them stemmed from putting in the Godaddy signed cert.
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On Jun 10, 2013, at 2:30 PM, Dmitri Pal <d...@redhat.com> wrote:
On 06/10/2013 02:17 PM, John Moyer wrote:
I don't know if this helps, but this is the log I'm getting from the IPA
server's apache error log.
[Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not
recognize and trust the CA that issued your certificate
Is this the same issue we are discussing on the devel list?
The intermediate CA case?
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On Jun 10, 2013, at 9:52 AM, John Moyer <john.mo...@digitalreasoning.com> wrote:
Rob,
Sorry for the late response I tried the following
[root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2
Certification Authority - ValiCert, Inc." -t CT,,
[root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure
Certification Authority - The Go Daddy Group, Inc." -t CT,,
[root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA
certutil: certificate is valid
After this I tried to add a machine and got the same error:
[root@~]# ipa-client-install --domain=example.com --server=server.example.com
--realm=EXAMPLE.COM -p builduser -w "BLAH" -U
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.
Peer certificate cannot be authenticated with known CA certificates
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Any additional suggestions?
Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
On May 29, 2013, at 2:09 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
John Moyer wrote:
Rob,
MyIPA I believe was installed by IPA. I did everything you suggested,
the below is what it looks like now.
--------
certutil -d /etc/httpd/alias -L -h internal
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
MyIPA u,u,u
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc. CT,,
----------
I'm still getting the following when I try to restart the dirsrv:
/etc/init.d/dirsrv restart
Shutting down dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
Starting dirsrv:
EXAMPLE-COM...[29/May/2013:16:46:47 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's
certificate issuer has been marked as not trusted by the user.)
[ OK ]
PKI-IPA... [ OK ]
You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well.
I'm also getting the following when I try to add a server to IPA:
ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM
-p builduser -w "BLAH" -U
Hostname: ip-10-133-38-119.ec2.internal
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: server.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Joining realm failed: libcurl failed to execute the HTTP POST transaction.
Peer certificate cannot be authenticated with known CA certificates
Installation failed. Rolling back changes.
IPA client is not configured on this system.
The client installer downloads the CA cert from LDAP, so make sure you have the
GoDaddy CA in LDAP.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
