<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="GENERATOR" content="GtkHTML/4.6.5"> </head> <body> On Tue, 2013-07-23 at 13:23 +0000, Armstrong, Kenneth Lawrence wrote: <blockquote type="CITE">On Mon, 2013-07-22 at 17:49 -0400, Rob Crittenden wrote: <blockquote type="CITE"> <pre> Armstrong, Kenneth Lawrence wrote: > On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote: >> On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote: >>> Armstrong, Kenneth Lawrence wrote: >>> > Hi all, >>> > >>> > I have a RHEL 6 IdM test domain set up. In production, we have RHEL 5 >>> > and RHEL 4 clients as well, so I was going to test that out. >>> > >>> > However, I can not get a RHEL 5.9 client to join the domain. >>> > >>> > [root@r5-idmclient <<a href="mailto:root@r5-idmclient">mailto:root@r5-idmclient</a>> ~]# ipa-client-install >>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu >>> > root : ERROR LDAP Error: Connect error: error:14090086:SSL >>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server. >>> > This may mean that the remote server is not up or is not reachable >>> > due to network or firewall settings. >>> > Installation failed. Rolling back changes. >>> > IPA client is not configured on this system. >>> > >>> > >>> > Digging a little bit and I see that the ipa-client is an older version: >>> > >>> > ipa-client-2.1.3-5.el5_9.2 >>> > >>> > Doing a yum update/upgrade doesn't show a newer version. >>> > >>> > I was considering a manual installation, but the ipa-admintools don't >>> > appear to be available for RHEL 5.9? >>> > >>> > Is there a way to make this work? >>> >>> I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It >>> should be possible to use the 2.1.3 client in EL 5 to enroll against a >>> 3.x server. >>> >>> Otherwise we probably need more context from >>> /var/log/ipaclient-install.log to see how the CA was retrieved. >>> >>> rob >>> >> >> Thanks for the tip. I tried it again, and it still failed. End of >> the log: >> >> [root@r5-idmclient <<a href="mailto:root@r5-idmclient">mailto:root@r5-idmclient</a>> ~]# tail -20 >> /var/log/ipaclient-install.log >> lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU >> >> >> 2013-07-22 13:45:36,982 DEBUG args=kinit >> <a href="mailto:admin@LNXREALMTEST.LIBERTY.EDU">admin@LNXREALMTEST.LIBERTY.EDU</a> <<a href="mailto:admin@LNXREALMTEST.LIBERTY.EDU">mailto:admin@LNXREALMTEST.LIBERTY.EDU</a>> >> 2013-07-22 13:45:36,983 DEBUG stdout=Password for >> <a href="mailto:admin@LNXREALMTEST.LIBERTY.EDU">admin@LNXREALMTEST.LIBERTY.EDU</a> <<a href="mailto:admin@LNXREALMTEST.LIBERTY.EDU">mailto:admin@LNXREALMTEST.LIBERTY.EDU</a>>: >> >> 2013-07-22 13:45:36,983 DEBUG stderr= >> 2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from >> ldap://lnxrealmtest01.liberty.edu >> 2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert >> Subject: /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority >> Issuer: /DC=edu/DC=liberty/CN=LUPKI01 >> >> 2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s >> lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu >> 2013-07-22 13:45:37,345 DEBUG stdout= >> 2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the >> HTTP POST transaction. SSL certificate problem, verify that the CA >> cert is OK. Details: >> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate >> verify failed >> >> 2013-07-22 13:45:37,490 DEBUG args=kdestroy >> 2013-07-22 13:45:37,491 DEBUG stdout= >> 2013-07-22 13:45:37,491 DEBUG stderr= >> _______________________________________________ >> Freeipa-users mailing list >> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <<a href="mailto:Freeipa-users@redhat.com">mailto:Freeipa-users@redhat.com</a>> >> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > I just stood up a brand new RHEL 6 client, and it works just fine, so > there is something amiss with RHEL 5 on this. The time on the RHEL 5 > client and the RHEL 6 IdM server is the same, and the cert is valid, so > I don't know why the RHEL 5 system does not like the cert. Could it be > something with the versions of packages installed on it? > > libipa_hbac-1.5.1-58.el5 > ipa-client-2.1.3-5.el5_9.2 > curl-7.15.5-17.el5_9 > openssl-0.9.8e-26.el5_9.1 I have the feeling that OpenSSL doesn't like your CA certificate for some reason. Can you try this: # openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile /etc/ipa/ca.crt Adding the -debug flag will add even more output. rob </pre> </blockquote> [<a href="mailto:klarmstrong2@r6-idmclient">klarmstrong2@r6-idmclient</a> ~]$ sudo openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile /etc/ipa/ca.crt [sudo] password for klarmstrong2: CONNECTED(00000003) depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu verify error:num=27:certificate not trusted verify return:1 depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority 1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority i:/DC=edu/DC=liberty/CN=LUPKI01 --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 2629 bytes and written 462 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 0D52FB7937A013C4F0F26E77B24A6133DB3B6D760BD1C65F0010A326A195FDEE Session-ID-ctx: Master-Key: ... Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1374585629 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) So it doesn't like it, yet I can still add a RHEL 6 client? Is there more stringent checking with the version of OpenSSL in RHEL 5? -Kenny <pre> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> Ok, I am having troubles making sense of this. First, I checked the CA cert chain that I downloaded from our PKI server to see if it's cool: [<a href="mailto:root@lnxrealmtest01">root@lnxrealmtest01</a> ~]# openssl s_client -host lupki01.liberty.edu -port 443 -CAfile /root/CACert.cer CONNECTED(00000003) depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root verify return:1 depth=1 DC = edu, DC = liberty, CN = LUPKI01 verify return:1 depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU = Microsoft Team, CN = lupki01.liberty.edu verify return:1 --- Certificate chain 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu i:/DC=edu/DC=liberty/CN=LUPKI01 1 s:/DC=edu/DC=liberty/CN=LUPKI01 i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu issuer=/DC=edu/DC=liberty/CN=LUPKI01 --- No client certificate CA names sent --- SSL handshake has read 2990 bytes and written 438 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: A917000003331BFAE02105066148E731DC3585E81DAD9AA18F9D0AAC71F4E0B1 Session-ID-ctx: Master-Key: ... Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1374598158 Timeout : 300 (sec) Verify return code: 0 (ok) --- ^C [<a href="mailto:root@lnxrealmtest01">root@lnxrealmtest01</a> ~]# ls anaconda-ks.cfg ca-agent.p12 CACert.cer cacert.p12 CACert.p7b install.log install.log.syslog ipa.cer ipa.csr [<a href="mailto:root@lnxrealmtest01">root@lnxrealmtest01</a> ~]# openssl s_client -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer CONNECTED(00000003) depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root verify return:1 depth=1 DC = edu, DC = liberty, CN = LUPKI01 verify return:1 depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU = Microsoft Team, CN = lupki01.liberty.edu verify return:1 --- Certificate chain 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu i:/DC=edu/DC=liberty/CN=LUPKI01 1 s:/DC=edu/DC=liberty/CN=LUPKI01 i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu issuer=/DC=edu/DC=liberty/CN=LUPKI01 --- No client certificate CA names sent --- SSL handshake has read 2990 bytes and written 438 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA Session-ID-ctx: Master-Key: ... Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1374598365 Timeout : 300 (sec) Verify return code: 0 (ok) --- Next, I check the cert that was issued by our local CA: [<a href="mailto:root@lnxrealmtest01">root@lnxrealmtest01</a> ~]# openssl s_client -host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer CONNECTED(00000003) depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root verify return:1 depth=1 DC = edu, DC = liberty, CN = LUPKI01 verify return:1 depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU = Microsoft Team, CN = lupki01.liberty.edu verify return:1 --- Certificate chain 0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu i:/DC=edu/DC=liberty/CN=LUPKI01 1 s:/DC=edu/DC=liberty/CN=LUPKI01 i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft Team/CN=lupki01.liberty.edu issuer=/DC=edu/DC=liberty/CN=LUPKI01 --- No client certificate CA names sent --- SSL handshake has read 2990 bytes and written 438 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: 4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA Session-ID-ctx: Master-Key: ... Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1374598365 Timeout : 300 (sec) Verify return code: 0 (ok) --- So all that looks good, but I check the certificate against the IPA server, and it fails: [<a href="mailto:root@lnxrealmtest01">root@lnxrealmtest01</a> ~]# openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile /root/CACert.cer CONNECTED(00000003) depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu verify error:num=27:certificate not trusted verify return:1 depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority 1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority i:/DC=edu/DC=liberty/CN=LUPKI01 --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 2629 bytes and written 462 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 0D58B89B946578D2883CE2F306E66E5D638B152A96360C8BC69F7BB7A38F430D Session-ID-ctx: Master-Key: ... Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1374598420 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- So I get it that it would fail against the IPA server, since it didn't issue it. But what I don't understand is that if the certificate is inherently ok, then why does it fail when I try to install the RHEL 5 client? -Kenny </body> </html>