[Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user

Rob Crittenden rcritten at redhat.com
Tue Nov 6 16:58:01 UTC 2012 

Dmitri Pal wrote:
> On 11/06/2012 08:07 AM, Rob Crittenden wrote:
>> Tim Hughes wrote:
>>>
>>> I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to
>>> ipa-server-2.2.0-16.el6.x86_64 with the following command
>>>
>>>
>>> ipa migrate-ds ldaps://fedora-ds-server.internal --continue
>>> --with-compat --base-dn=dc=custsvc,dc=mycompany
>>> --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany
>>> --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany
>>>
>>>
>>> I get the following response.
>>>
>>>
>>> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
>>> ipa: DEBUG: cert valid True for "CN=ipa-server.internal,O=CO.MYCOMPANY"
>>> ipa: DEBUG: handshake complete, peer = 192.168.10.6:443
>>> <http://192.168.10.6:443>
>>> ipa: DEBUG: Caught fault 4203 from server
>>> http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS error
>>> -8172:Peer's certificate issuer has been marked as not trusted by the
>>> user.
>>> ipa: DEBUG: Destroyed connection context.xmlclient
>>> ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's
>>> certificate issuer has been marked as not trusted by the user.
>>>
>>>
>>> I am trying to work out which certificate is not trusted and how I
>>> should make it trusted. Any help would be appreciated.
>>
>> I suspect you're going to need to add the CA that issued your LDAP
>> server certificate to the IPA Apache NSS certificate database (where
>> our admin framework runs).
>>
>> You'd add it something like this:
>>
>> # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a <
>> /path/to/ca.crt
>>
>> The -n 'LDAP CA' adds a nickname to the CA. There is nothing special
>> about this, it just needs to be unique. Use something meaningful to you.
>>
>> Then restart the httpd service and try the migration again.
>>
>> I don't know if we've tested using ldaps, so if my suggestion works
>> can you let us know?
>
> IMO the migrate-ds command should have additional argument to point to
> the cert file to use for connection.
> Then the framework should get the cert and import it into the store itself.
>
> Rob, do you agree that this would be a valid RFE?

Yup, certainly something that would make things easier.

rob

More information about the Freeipa-users mailing list