[Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
Tim Hughes
thughes at thegoldfish.org
Tue Nov 6 18:39:41 UTC 2012
Thanks guys. I will try and have a go tomorrow and let you know how it
goes.
Regards
Tim
On 6 Nov 2012 18:20, "Dmitri Pal" <dpal at redhat.com> wrote:
> On 11/06/2012 11:58 AM, Rob Crittenden wrote:
> > Dmitri Pal wrote:
> >> On 11/06/2012 08:07 AM, Rob Crittenden wrote:
> >>> Tim Hughes wrote:
> >>>>
> >>>> I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to
> >>>> ipa-server-2.2.0-16.el6.x86_64 with the following command
> >>>>
> >>>>
> >>>> ipa migrate-ds ldaps://fedora-ds-server.internal --continue
> >>>> --with-compat --base-dn=dc=custsvc,dc=mycompany
> >>>> --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany
> >>>> --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany
> >>>>
> >>>>
> >>>> I get the following response.
> >>>>
> >>>>
> >>>> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
> >>>> ipa: DEBUG: cert valid True for
> >>>> "CN=ipa-server.internal,O=CO.MYCOMPANY"
> >>>> ipa: DEBUG: handshake complete, peer = 192.168.10.6:443
> >>>> <http://192.168.10.6:443>
> >>>> ipa: DEBUG: Caught fault 4203 from server
> >>>> http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS
> >>>> error
> >>>> -8172:Peer's certificate issuer has been marked as not trusted by the
> >>>> user.
> >>>> ipa: DEBUG: Destroyed connection context.xmlclient
> >>>> ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's
> >>>> certificate issuer has been marked as not trusted by the user.
> >>>>
> >>>>
> >>>> I am trying to work out which certificate is not trusted and how I
> >>>> should make it trusted. Any help would be appreciated.
> >>>
> >>> I suspect you're going to need to add the CA that issued your LDAP
> >>> server certificate to the IPA Apache NSS certificate database (where
> >>> our admin framework runs).
> >>>
> >>> You'd add it something like this:
> >>>
> >>> # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a <
> >>> /path/to/ca.crt
> >>>
> >>> The -n 'LDAP CA' adds a nickname to the CA. There is nothing special
> >>> about this, it just needs to be unique. Use something meaningful to
> >>> you.
> >>>
> >>> Then restart the httpd service and try the migration again.
> >>>
> >>> I don't know if we've tested using ldaps, so if my suggestion works
> >>> can you let us know?
> >>
> >> IMO the migrate-ds command should have additional argument to point to
> >> the cert file to use for connection.
> >> Then the framework should get the cert and import it into the store
> >> itself.
> >>
> >> Rob, do you agree that this would be a valid RFE?
> >
> > Yup, certainly something that would make things easier.
> >
> > rob
> >
> https://fedorahosted.org/freeipa/ticket/3243
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121106/f4d1029e/attachment.htm>
More information about the Freeipa-users
mailing list