[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

So I found this page and followed it. The http daemon works great (no longer complains about not being the cert for my URL. However, now I can't bind anymore servers to my IPA server. The current servers enrolled before I did this work great (and I can login using my IPA credentials). Howe

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

On 05/23/2013 01:37 PM, John Moyer wrote: > So I found this page and followed it. The http daemon works great (no > longer complains about not being the cert for my URL. However, now I > can't bind anymore servers to my IPA server. The current servers > enrolled before I did this work great (an

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Dmitri, Here are the corresponding answers, thanks for the quick response. 1. ipa-client-3.0.0-26.el6_4.2.x86_64 2. [root@ ~]# ipa-client-install --domain=digitalreasoning.com --server=ipa1.corp.digitalreasoning.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U Hostname: client.example.com

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer wrote: Dmitri, Here are the corresponding answers, thanks for the quick response. 1. ipa-client-3.0.0-26.el6_4.2.x86_64 2. [root@ ~]# ipa-client-install --domain=digitalreasoning.com --server=ipa1.corp.digitalreasoning.com

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Rob, I tried what you suggested on the client, and that did not work. I copied my cert over those two files you suggested that was easy. However, is there a more manually way to change that LDAP setting you are talking about. The LDAP server is not letting me in because of the cert

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

On 05/23/2013 05:10 PM, John Moyer wrote: > Rob, > > I tried what you suggested on the client, and that did not work. I > copied my cert over those two files you suggested that was easy. However, is > there a more manually way to change that LDAP setting you are talking about. > The L

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

On 05/23/2013 07:37 PM, John Moyer wrote: > So I found this page and followed it. The http daemon works great (no longer > complains about not being the cert for my URL. However, now I can't bind > anymore servers to my IPA server. The current servers enrolled before I did > this work great (an

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

So unfortunately a rebuild would be less than optimal for me, lots of servers and users. So I've tried Dmitri's idea of ldapi and I got the access to LDAP now, however I may be going about this entire thing wrong. I created an LDIF file that looks like this: dn: cn=cacert,cn=ipa,cn=etc,dc=e

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer wrote: So unfortunately a rebuild would be less than optimal for me, lots of servers and users. So I've tried Dmitri's idea of ldapi and I got the access to LDAP now, however I may be going about this entire thing wrong. I created an LDIF file that looks like this: dn: cn=cacert

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

So I did that, and it executed perfectly (went back and checked that it did indeed replace the value as expected). I got on the machine I was trying to add and got this: root@ ~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w "BLAH" -U

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer wrote: So I did that, and it executed perfectly (went back and checked that it did indeed replace the value as expected). I got on the machine I was trying to add and got this: root@ ~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p bui

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Yea I replaced both certs, however, in my troubleshooting I've found more I'll say symptoms or potential problems, which may stem from this or be independent from it. 1. Showing this error message on restarting the service: EXAMPLE-COM...[29/May/2013:05:30:58 +] - SSL alert: CERT_Ver

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

On 29.5.2013 07:42, John Moyer wrote: Yea I replaced both certs, however, in my troubleshooting I've found more I'll say symptoms or potential problems, which may stem from this or be independent from it. 1. Showing this error message on restarting the service: EXAMPLE-COM...[29/May/2013:

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

On 05/29/2013 01:42 AM, John Moyer wrote: Yea I replaced both certs, however, in my troubleshooting I've found more I'll say symptoms or potential problems, which may stem from this or be independent from it. 1. Showing this error message on restarting the service: EXAMPLE-COM...[29/May/2013:05:

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Petr, I changed both the host file (actually did that before emailing) and now I have changed the DNS manually in LDAP. I restart ipa and it still fails on DNS startup. It says the following (after I manually start everything else) May 29 13:16:15 ip- named[9076]: set up managed k

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John, I see the following when I ran that first command. sudo certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Go Daddy Secure Certif

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

On 29.5.2013 15:50, John Moyer wrote: I changed both the host file (actually did that before emailing) and now I have changed the DNS manually in LDAP. I restart ipa and it still fails on DNS startup. It says the following (after I manually start everything else) May 29 13:16:15 ip-

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Petr, Oh thanks for that webpage! So now named starts, it was because my hostname was ip-10.x.x.x I then tried to change it to ip-10.x.x.x.ec2.internal (standard fqdn for AWS). Then I remembered that during setup I had to change it to ipa.example.com. Once I did that it started!

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

On 05/29/2013 09:55 AM, John Moyer wrote: John, I see the following when I ran that first command. sudo certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer wrote: John, I see the following when I ran that first command. sudo certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Go

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Rob, MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now. certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer wrote: Rob, MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now. certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Rob, Sorry for the late response I tried the following [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Class 2 Certification Authority - ValiCert, Inc." -t CT,, [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n "Go Daddy Secure Certification Authorit

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log. [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate Thanks, _

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer wrote: I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log. [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate Apache has its own certificate database in

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

On 06/10/2013 02:17 PM, John Moyer wrote: > I don't know if this helps, but this is the log I'm getting from the IPA > server's apache error log. > > [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not > recognize and trust the CA that issued your certificate Is this the s

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Rob, I think you had me look at that already. This is the output from certutil on that: [root@ ~]# certutil -d /etc/httpd/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JA

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer wrote: Rob, I think you had me look at that already. This is the output from certutil on that: [root@ ~]# certutil -d /etc/httpd/alias -L Certificate Nickname Trust Attributes

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

Rob, Do you mean doing this? If not let me know. [root@pki]# ls -la total 32 drwxr-xr-x 8 root root 4096 Jun 10 20:23 . drwxr-xr-x 90 root root 4096 Jun 10 18:05 .. drwxr-xr-x 6 root root 4096 Mar 4 22:22 CA drwxr-xr-x 2 root root 4096 Jul 11 2012 java lrwxrwxrwx 1 root root 24

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Moyer wrote: Rob, Do you mean doing this? If not let me know. [root@pki]# ls -la total 32 drwxr-xr-x 8 root root 4096 Jun 10 20:23 . drwxr-xr-x 90 root root 4096 Jun 10 18:05 .. drwxr-xr-x 6 root root 4096 Mar 4 22:22 CA drwxr-xr-x 2 root root 4096 Jul 11 2012 java lrwxrwxrwx

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

On 06/10/2013 04:32 PM, John Moyer wrote: > Do you mean doing this? If not let me know. I'm afraid much of what has been done so far amounts to flailing about. The information needed to resolve the problem is contained in your cert. I'm pretty sure I asked for this information previously w

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

On 06/10/2013 04:50 PM, John Dennis wrote: > Either dump the text form of your CA cert and send it along or send us > the cert in PEM format and we'll open it up. Actually in hindsight send us the all the Godaddy certs in PEM format only, the tools need to read PEM format. Text format would be int

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

So this is what I did and how it went afterwards: [root@nssdb]# ln -s /usr/lib64/libnssckbi.so libnssckbi.so [root@nssdb]# ls -la total 132 drwxr-xr-x 2 root root 4096 Jun 11 13:50 . drwxr-xr-x 8 root root 4096 Jun 11 13:50 .. -rw-r--r-- 1 root root 65536 Jan 12 2010 cert8.db -rw-r--r-- 1 root