[Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
Rob Crittenden
rcritten at redhat.com
Tue Nov 6 13:07:38 UTC 2012
Tim Hughes wrote:
>
> I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to
> ipa-server-2.2.0-16.el6.x86_64 with the following command
>
>
> ipa migrate-ds ldaps://fedora-ds-server.internal --continue
> --with-compat --base-dn=dc=custsvc,dc=mycompany
> --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany
> --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany
>
>
> I get the following response.
>
>
> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
> ipa: DEBUG: cert valid True for "CN=ipa-server.internal,O=CO.MYCOMPANY"
> ipa: DEBUG: handshake complete, peer = 192.168.10.6:443
> <http://192.168.10.6:443>
> ipa: DEBUG: Caught fault 4203 from server
> http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS error
> -8172:Peer's certificate issuer has been marked as not trusted by the user.
> ipa: DEBUG: Destroyed connection context.xmlclient
> ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's
> certificate issuer has been marked as not trusted by the user.
>
>
> I am trying to work out which certificate is not trusted and how I
> should make it trusted. Any help would be appreciated.
I suspect you're going to need to add the CA that issued your LDAP
server certificate to the IPA Apache NSS certificate database (where our
admin framework runs).
You'd add it something like this:
# certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a <
/path/to/ca.crt
The -n 'LDAP CA' adds a nickname to the CA. There is nothing special
about this, it just needs to be unique. Use something meaningful to you.
Then restart the httpd service and try the migration again.
I don't know if we've tested using ldaps, so if my suggestion works can
you let us know?
rob
More information about the Freeipa-users
mailing list