[Freeipa-users] rhel 5 client in a rhel 6 domain?
Armstrong, Kenneth Lawrence
klarmstrong2 at liberty.edu
Wed Jul 24 14:09:01 UTC 2013
On Wed, 2013-07-24 at 09:37 -0400, Rob Crittenden wrote:
Armstrong, Kenneth Lawrence wrote:
> On Tue, 2013-07-23 at 17:13 +0000, Armstrong, Kenneth Lawrence wrote:
>> On Tue, 2013-07-23 at 13:23 +0000, Armstrong, Kenneth Lawrence wrote:
>>> On Mon, 2013-07-22 at 17:49 -0400, Rob Crittenden wrote:
>>>> Armstrong, Kenneth Lawrence wrote:
>>>> > On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote:
>>>> >> On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:
>>>> >>> Armstrong, Kenneth Lawrence wrote:
>>>> >>> > Hi all,
>>>> >>> >
>>>> >>> > I have a RHEL 6 IdM test domain set up. In production, we have RHEL 5
>>>> >>> > and RHEL 4 clients as well, so I was going to test that out.
>>>> >>> >
>>>> >>> > However, I can not get a RHEL 5.9 client to join the domain.
>>>> >>> >
>>>> >>> > [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
>>>> >>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>>>> >>> > root : ERROR LDAP Error: Connect error: error:14090086:SSL
>>>> >>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>> >>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>>>> >>> > This may mean that the remote server is not up or is not reachable
>>>> >>> > due to network or firewall settings.
>>>> >>> > Installation failed. Rolling back changes.
>>>> >>> > IPA client is not configured on this system.
>>>> >>> >
>>>> >>> >
>>>> >>> > Digging a little bit and I see that the ipa-client is an older version:
>>>> >>> >
>>>> >>> > ipa-client-2.1.3-5.el5_9.2
>>>> >>> >
>>>> >>> > Doing a yum update/upgrade doesn't show a newer version.
>>>> >>> >
>>>> >>> > I was considering a manual installation, but the ipa-admintools don't
>>>> >>> > appear to be available for RHEL 5.9?
>>>> >>> >
>>>> >>> > Is there a way to make this work?
>>>> >>>
>>>> >>> I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
>>>> >>> should be possible to use the 2.1.3 client in EL 5 to enroll against a
>>>> >>> 3.x server.
>>>> >>>
>>>> >>> Otherwise we probably need more context from
>>>> >>> /var/log/ipaclient-install.log to see how the CA was retrieved.
>>>> >>>
>>>> >>> rob
>>>> >>>
>>>> >>
>>>> >> Thanks for the tip. I tried it again, and it still failed. End of
>>>> >> the log:
>>>> >>
>>>> >> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# tail -20
>>>> >> /var/log/ipaclient-install.log
>>>> >> lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU
>>>> >>
>>>> >>
>>>> >> 2013-07-22 13:45:36,982 DEBUG args=kinit
>>>> >>admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU> <mailto:admin at LNXREALMTEST.LIBERTY.EDU> <mailto:admin at LNXREALMTEST.LIBERTY.EDU>
>>>> >> 2013-07-22 13:45:36,983 DEBUG stdout=Password for
>>>> >>admin at LNXREALMTEST.LIBERTY.EDU<mailto:admin at LNXREALMTEST.LIBERTY.EDU> <mailto:admin at LNXREALMTEST.LIBERTY.EDU> <mailto:admin at LNXREALMTEST.LIBERTY.EDU>:
>>>> >>
>>>> >> 2013-07-22 13:45:36,983 DEBUG stderr=
>>>> >> 2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from
>>>> >> ldap://lnxrealmtest01.liberty.edu
>>>> >> 2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
>>>> >> Subject: /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>>> >> Issuer: /DC=edu/DC=liberty/CN=LUPKI01
>>>> >>
>>>> >> 2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s
>>>> >> lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
>>>> >> 2013-07-22 13:45:37,345 DEBUG stdout=
>>>> >> 2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the
>>>> >> HTTP POST transaction. SSL certificate problem, verify that the CA
>>>> >> cert is OK. Details:
>>>> >> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>>>> >> verify failed
>>>> >>
>>>> >> 2013-07-22 13:45:37,490 DEBUG args=kdestroy
>>>> >> 2013-07-22 13:45:37,491 DEBUG stdout=
>>>> >> 2013-07-22 13:45:37,491 DEBUG stderr=
>>>> >> _______________________________________________
>>>> >> Freeipa-users mailing list
>>>> >>Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com> <mailto:Freeipa-users at redhat.com> <mailto:Freeipa-users at redhat.com>
>>>> >>https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> >
>>>> > I just stood up a brand new RHEL 6 client, and it works just fine, so
>>>> > there is something amiss with RHEL 5 on this. The time on the RHEL 5
>>>> > client and the RHEL 6 IdM server is the same, and the cert is valid, so
>>>> > I don't know why the RHEL 5 system does not like the cert. Could it be
>>>> > something with the versions of packages installed on it?
>>>> >
>>>> > libipa_hbac-1.5.1-58.el5
>>>> > ipa-client-2.1.3-5.el5_9.2
>>>> > curl-7.15.5-17.el5_9
>>>> > openssl-0.9.8e-26.el5_9.1
>>>>
>>>> I have the feeling that OpenSSL doesn't like your CA certificate for
>>>> some reason.
>>>>
>>>> Can you try this:
>>>>
>>>> # openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile
>>>> /etc/ipa/ca.crt
>>>>
>>>> Adding the -debug flag will add even more output.
>>>>
>>>> rob
>>>
>>> [klarmstrong2 at r6-idmclient <mailto:klarmstrong2 at r6-idmclient> ~]$
>>> sudo openssl s_client -host lnxrealmtest01.liberty.edu -port 443
>>> -CAfile /etc/ipa/ca.crt
>>> [sudo] password for klarmstrong2:
>>> CONNECTED(00000003)
>>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>>> verify error:num=20:unable to get local issuer certificate
>>> verify return:1
>>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>>> verify error:num=27:certificate not trusted
>>> verify return:1
>>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>>> verify error:num=21:unable to verify the first certificate
>>> verify return:1
>>> ---
>>> Certificate chain
>>> 0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>>> i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>> 1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>> i:/DC=edu/DC=liberty/CN=LUPKI01
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> ...
>>> -----END CERTIFICATE-----
>>> subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>>> issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 2629 bytes and written 462 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>> Protocol : TLSv1
>>> Cipher : AES256-SHA
>>> Session-ID:
>>> 0D52FB7937A013C4F0F26E77B24A6133DB3B6D760BD1C65F0010A326A195FDEE
>>> Session-ID-ctx:
>>> Master-Key: ...
>>> Key-Arg : None
>>> Krb5 Principal: None
>>> PSK identity: None
>>> PSK identity hint: None
>>> Start Time: 1374585629
>>> Timeout : 300 (sec)
>>> Verify return code: 21 (unable to verify the first certificate)
>>>
>>>
>>> So it doesn't like it, yet I can still add a RHEL 6 client? Is there
>>> more stringent checking with the version of OpenSSL in RHEL 5?
>>>
>>> -Kenny
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com> <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> Ok, I am having troubles making sense of this.
>>
>> First, I checked the CA cert chain that I downloaded from our PKI
>> server to see if it's cool:
>>
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lupki01.liberty.edu -port 443 -CAfile /root/CACert.cer
>> CONNECTED(00000003)
>> depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
>> Inc.", CN = GTE CyberTrust Global Root
>> verify return:1
>> depth=1 DC = edu, DC = liberty, CN = LUPKI01
>> verify return:1
>> depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
>> Microsoft Team, CN = lupki01.liberty.edu
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> i:/DC=edu/DC=liberty/CN=LUPKI01
>> 1 s:/DC=edu/DC=liberty/CN=LUPKI01
>> i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
>> CyberTrust Global Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> issuer=/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2990 bytes and written 438 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : AES128-SHA
>> Session-ID:
>> A917000003331BFAE02105066148E731DC3585E81DAD9AA18F9D0AAC71F4E0B1
>> Session-ID-ctx:
>> Master-Key: ...
>> Key-Arg : None
>> Krb5 Principal: None
>> PSK identity: None
>> PSK identity hint: None
>> Start Time: 1374598158
>> Timeout : 300 (sec)
>> Verify return code: 0 (ok)
>> ---
>>
>> ^C
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# ls
>> anaconda-ks.cfg ca-agent.p12 CACert.cer cacert.p12 CACert.p7b
>> install.log install.log.syslog ipa.cer ipa.csr
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
>> CONNECTED(00000003)
>> depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
>> Inc.", CN = GTE CyberTrust Global Root
>> verify return:1
>> depth=1 DC = edu, DC = liberty, CN = LUPKI01
>> verify return:1
>> depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
>> Microsoft Team, CN = lupki01.liberty.edu
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> i:/DC=edu/DC=liberty/CN=LUPKI01
>> 1 s:/DC=edu/DC=liberty/CN=LUPKI01
>> i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
>> CyberTrust Global Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> issuer=/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2990 bytes and written 438 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : AES128-SHA
>> Session-ID:
>> 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
>> Session-ID-ctx:
>> Master-Key: ...
>> Key-Arg : None
>> Krb5 Principal: None
>> PSK identity: None
>> PSK identity hint: None
>> Start Time: 1374598365
>> Timeout : 300 (sec)
>> Verify return code: 0 (ok)
>> ---
>>
>>
>> Next, I check the cert that was issued by our local CA:
>>
>>
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
>> CONNECTED(00000003)
>> depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
>> Inc.", CN = GTE CyberTrust Global Root
>> verify return:1
>> depth=1 DC = edu, DC = liberty, CN = LUPKI01
>> verify return:1
>> depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
>> Microsoft Team, CN = lupki01.liberty.edu
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> i:/DC=edu/DC=liberty/CN=LUPKI01
>> 1 s:/DC=edu/DC=liberty/CN=LUPKI01
>> i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
>> CyberTrust Global Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
>> Team/CN=lupki01.liberty.edu
>> issuer=/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2990 bytes and written 438 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES128-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : AES128-SHA
>> Session-ID:
>> 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
>> Session-ID-ctx:
>> Master-Key: ...
>> Key-Arg : None
>> Krb5 Principal: None
>> PSK identity: None
>> PSK identity hint: None
>> Start Time: 1374598365
>> Timeout : 300 (sec)
>> Verify return code: 0 (ok)
>> ---
>>
>>
>> So all that looks good, but I check the certificate against the IPA
>> server, and it fails:
>>
>>
>>
>>
>> [root at lnxrealmtest01 <mailto:root at lnxrealmtest01> ~]# openssl s_client
>> -host lnxrealmtest01.liberty.edu -port 443 -CAfile /root/CACert.cer
>> CONNECTED(00000003)
>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>> i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>> 1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>> i:/DC=edu/DC=liberty/CN=LUPKI01
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> ...
>> -----END CERTIFICATE-----
>> subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
>> issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2629 bytes and written 462 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : AES256-SHA
>> Session-ID:
>> 0D58B89B946578D2883CE2F306E66E5D638B152A96360C8BC69F7BB7A38F430D
>> Session-ID-ctx:
>> Master-Key: ...
>> Key-Arg : None
>> Krb5 Principal: None
>> PSK identity: None
>> PSK identity hint: None
>> Start Time: 1374598420
>> Timeout : 300 (sec)
>> Verify return code: 21 (unable to verify the first certificate)
>> ---
>>
>>
>> So I get it that it would fail against the IPA server, since it didn't
>> issue it. But what I don't understand is that if the certificate is
>> inherently ok, then why does it fail when I try to install the RHEL 5
>> client?
>>
>>
>> -Kenny
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com> <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> I think that there is still something funky with the way RHEL 5 works
> with the SSL cert for IPA.
>
> I tried the client install again, using the exact CA certificate that I
> used when setting up the original IdM server, and tried to force the
> installation:
>
> [root at r5-idmclient <mailto:root at r5-idmclient> ~]# ipa-client-install
> --domain linuxrealm.liberty.edu --ca-cert-file=/root/CACert.cer --force
> DNS discovery failed to find the IPA Server
> Provide your IPA server name (ex: ipa.example.com):
> lnxrealmtest01.liberty.edu
> root : ERROR LDAP Error: Connect error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Force set so not rolling back changes.
>
> It still looks like it tries to verify anyway, which of course fails.
>
> -Kenny
--force doesn't cause it to skip SSL verification.
Comparing RHEL 5 to 6 is comparing apples to oranges since they use
different crypto libraries (OpenSSL vs NSS). It is an interesting data
point though.
Had you been using an older version of OpenSSL I would have suspected
that was the problem, but since you're using the latest I'm not sure
what the issue is.
Can you verify that the full chain is being sent? openssl s_client
-showcerts
Is your IPA CA certificate signed by another authority (e.g. an external
CA installation)?
rob
Thanks Rob.
I tried the command again, and I'm showing that it is not getting the whole chain. I had the cert signed by our internal CA, which has GTE upstream from that one.
-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130724/8302655d/attachment.htm>
More information about the Freeipa-users
mailing list