<div dir="ltr">Hello Martin,<div><br></div><div>still no luck unfortunately.</div><div><br></div><div>The client is an ubuntu 14.04 server, and I believe it is enrolled already.</div><div><br></div><div>The /etc/ipa/ca.pem is correct and already installed, and I even added it to the <font face="monospace, monospace">/etc/ssl/certs</font> directory (which is why my <font face="monospace, monospace">curl</font> command in the first email does not complain)</div><div><br></div><div>Commands like <i><font face="monospace, monospace">kinit</font></i> work just fine, and I have never experienced a problem which would make me doubt of the enrollment of this client.</div><div><br></div><div><br></div><div>I run the following commands:</div><div><div><font face="monospace, monospace"># mkdir /etc/ipa/nssdb</font></div><div><font face="monospace, monospace"># certutil -A -d /etc/ipa/nssdb -n '<a href="http://PROD.XXXXXXXXX.COM">PROD.XXXXXXXXX.COM</a> IPA CA' -t CT,C,C -a < /etc/ipa/ca.crt</font></div></div><div><font face="monospace, monospace"># chmod +r /etc/ipa/nssdb/*</font></div><div><font face="monospace, monospace"># certutil -L -d /etc/ipa/nssdb</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">Certificate Nickname                                         Trust Attributes</font></div><div><font face="monospace, monospace">                                                             SSL,S/MIME,JAR/XPI</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><a href="http://PROD.XXXXXXXX.COM">PROD.XXXXXXXX.COM</a> IPA CA                                     CT,C,C</font></div><div><br></div><div>But I am still unable to run the script.</div><div>Is there anything else I need to do? Do I need to restart some components? Any log I could look into?</div><div><br></div><div>Thank you</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 8 November 2016 at 07:56, Martin Babinsky <span dir="ltr"><<a href="mailto:mbabinsk@redhat.com" target="_blank">mbabinsk@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 11/07/2016 04:45 PM, Alessandro De Maria wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Hi Martin,<br>
<br>
I tried from the host I am executing the script from, and I get:<br>
certutil -L -d /etc/httpd/alias/<br>
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The<br>
certificate/key database is in an old, unsupported format.<br>
<br>
<br>
>From the FreeIPA server, as I said previously, I get:<br>
<br>
certutil -L -d /etc/httpd/alias/<br>
<br>
Certificate Nickname                                         Trust<br>
Attributes<br>
<br>
 SSL,S/MIME,JAR/XPI<br>
<br>
Signing-Cert                                                 u,u,u<br>
ipaCert                                                      u,u,u<br>
Server-Cert                                                  u,u,u<br>
</span><a href="http://PROD.XXXXXXXXXXXXX.COM" rel="noreferrer" target="_blank">PROD.XXXXXXXXXXXXX.COM</a> <<a href="http://prod.xxxxxxxxxxxxx.com/" rel="noreferrer" target="_blank">http://prod.xxxxxxxxxxxxx.com<wbr>/</a>> IPA CA<span class=""><br>
                     CT,C,C<br>
<br>
<br>
>From the FreeIPA server, I seem to be able to run the script, so we are<br>
definitely on the right track.<br>
How do I get the /etc/httpd/alias/ in sync across these hosts? can I<br>
copy it, or is there a way to regenerate it?<br>
<br>
Regards<br>
Alessandro<br>
<br>
On 7 November 2016 at 15:36, Alessandro De Maria<br></span><span class="">
<<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a> <mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a>>> wrote:<br>
<br>
    Hi Martin, this is the output from the id1 host:<br>
<br>
    certutil -L -d /etc/httpd/alias/<br>
<br>
    Certificate Nickname                                         Trust<br>
    Attributes<br>
<br>
     SSL,S/MIME,JAR/XPI<br>
<br>
    Signing-Cert                                                 u,u,u<br>
    ipaCert                                                      u,u,u<br>
    Server-Cert                                                  u,u,u<br></span>
    <a href="http://PROD.XXXXXXXXXXXXX.COM" rel="noreferrer" target="_blank">PROD.XXXXXXXXXXXXX.COM</a> <<a href="http://PROD.XXXXXXXXXXXXX.COM" rel="noreferrer" target="_blank">http://PROD.XXXXXXXXXXXXX.COM</a><wbr>> IPA CA<span class=""><br>
                             CT,C,C<br>
<br>
<br>
    looks just like you suggested. Any other suggestion?<br>
<br>
    On 7 November 2016 at 10:56, Martin Babinsky <<a href="mailto:mbabinsk@redhat.com" target="_blank">mbabinsk@redhat.com</a><br></span><span class="">
    <mailto:<a href="mailto:mbabinsk@redhat.com" target="_blank">mbabinsk@redhat.com</a>>> wrote:<br>
<br>
        On 11/04/2016 04:52 PM, Alessandro De Maria wrote:<br>
<br>
            Hello,<br>
<br>
            I have a FreeIPA installation that is working very nicely,<br>
            we already<br>
            have configured many hosts and so far we are quite happy<br>
            with it.<br>
<br>
            I was trying to connect Ansible to fetch hosts from FreeIPA<br>
            using the<br>
            freeipa.py script<br>
            (<a href="https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py" rel="noreferrer" target="_blank">https://github.com/ansible/an<wbr>sible/blob/devel/contrib/inven<wbr>tory/freeipa.py</a><br></span>
            <<a href="https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py" rel="noreferrer" target="_blank">https://github.com/ansible/an<wbr>sible/blob/devel/contrib/inven<wbr>tory/freeipa.py</a>>)<div><div class="h5"><br>
<br>
            Unfortunately when I run it, I get the following:<br>
<br>
            *ipa: ERROR: cert validation failed for<br>
            "CN=id1.prod.**xxxxxxxx**.com,<wbr>O=<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">PROD.xxxxxxxx.COM</a><br>
            <<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>><br>
            <<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's<br>
            certificate issuer has been marked as not trusted by the user.)*<br>
            *ipa: ERROR: cert validation failed for<br>
            "CN=id2.prod.**xxxxxxxx**.com,<wbr>O=<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">PROD.xxxxxxxx.COM</a><br>
            <<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>><br>
            <<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's<br>
            certificate issuer has been marked as not trusted by the user.)*<br>
            *Traceback (most recent call last):*<br>
            *  File "./freeipa.py", line 82, in <module>*<br>
            *    api = initialize()*<br>
            *  File "./freeipa.py", line 17, in initialize*<br>
            *    api.Backend.rpcclient.connect(<wbr>)*<br>
            *  File<br>
            "/usr/lib/python2.7/dist-packa<wbr>ges/ipalib/backend.py", line 66,<br>
            in connect*<br>
            *    conn = self.create_connection(*args, **kw)*<br>
            *  File "/usr/lib/python2.7/dist-packa<wbr>ges/ipalib/rpc.py",<br>
            line 939, in<br>
            create_connection*<br>
            *    error=', '.join(urls))*<br>
            *ipalib.errors.NetworkError: cannot connect to 'any of the<br>
            configured<br>
            servers': <a href="https://id1.prod." rel="noreferrer" target="_blank">https://id1.prod.</a>**xxxxxxxx**.<wbr>com/ipa/json,<br>
            <a href="https://id2.prod." rel="noreferrer" target="_blank">https://id2.prod.</a>**xxxxxxxx**.<wbr>com/ipa/json*<br>
<br>
<br>
            If I curl the URL, it works just fine ( I imported the CA<br>
            Certificate in<br>
            the system directory /etc/ssl/certs).<br>
<br>
            I have run `openssl s_client` connect and downloaded the remote<br>
            certificate locally, then I run:<br>
<br>
            # openssl verify cert.pem<br>
            # *id1.prod.**xxxxxxxx**.com.pem<wbr>*: OK<br>
<br>
<br>
            Would you help me figure out what's going on?<br>
<br>
<br>
<br>
            --<br>
            Alessandro De Maria<br>
            <a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a><br>
            <mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a>><br></div></div>
            <mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a><span class=""><br>
            <mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a>>><br>
<br>
<br>
<br>
        Hi Alessandro,<br>
<br>
        this error can mean that the CA certificate in IPA NSS database<br>
        has wrong trust flags set. Please make sure that there is IPA CA<br>
        certificate present on /etc/httpd/alias and it has trust flags<br>
        CT,C,C like this:<br>
<br>
        # certutil -L -d /etc/httpd/alias/<br>
<br>
        Certificate Nickname<br>
         Trust Attributes<br>
<br>
        SSL,S/MIME,JAR/XPI<br>
<br>
        ipaCert                                                      u,u,u<br>
        Server-Cert                                                  u,u,u<br>
        <$REALM> IPA CA                                              CT,C,C<br>
<br>
        --<br>
        Martin^3 Babinsky<br>
<br>
        --<br>
        Manage your subscription for the Freeipa-users mailing list:<br>
        <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-users</a><br>
        <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailma<wbr>n/listinfo/freeipa-users</a>><br>
        Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
<br>
<br>
<br>
<br>
    --<br>
    Alessandro De Maria<br></span>
    <a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a> <mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a>><br>
<br>
<br>
<br>
<br>
--<br>
Alessandro De Maria<br>
<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a> <mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a>><br>
</blockquote>
<br>
Alessandro,<br>
<br>
I have just realized that this may be client-side problem. On the executor you may need to import CA certificate from IPA server to local /etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file.<br>
<br>
Or you can just enroll the node as IPA client and it will set up all this stuff for you.<span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Martin^3 Babinsky<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Alessandro De Maria<br><a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a></div>
</div>