<div dir="ltr">Hello Martin,<div><br></div><div>still no luck unfortunately.</div><div><br></div><div>The client is an ubuntu 14.04 server, and I believe it is enrolled already.</div><div><br></div><div>The /etc/ipa/ca.pem is correct and already installed, and I even added it to the <font face="monospace, monospace">/etc/ssl/certs</font> directory (which is why my <font face="monospace, monospace">curl</font> command in the first email does not complain)</div><div><br></div><div>Commands like <i><font face="monospace, monospace">kinit</font></i> work just fine, and I have never experienced a problem which would make me doubt of the enrollment of this client.</div><div><br></div><div><br></div><div>I run the following commands:</div><div><div><font face="monospace, monospace"># mkdir /etc/ipa/nssdb</font></div><div><font face="monospace, monospace"># certutil -A -d /etc/ipa/nssdb -n '<a href="http://PROD.XXXXXXXXX.COM">PROD.XXXXXXXXX.COM</a> IPA CA' -t CT,C,C -a < /etc/ipa/ca.crt</font></div></div><div><font face="monospace, monospace"># chmod +r /etc/ipa/nssdb/*</font></div><div><font face="monospace, monospace"># certutil -L -d /etc/ipa/nssdb</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">Certificate Nickname Trust Attributes</font></div><div><font face="monospace, monospace"> SSL,S/MIME,JAR/XPI</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><a href="http://PROD.XXXXXXXX.COM">PROD.XXXXXXXX.COM</a> IPA CA CT,C,C</font></div><div><br></div><div>But I am still unable to run the script.</div><div>Is there anything else I need to do? Do I need to restart some components? Any log I could look into?</div><div><br></div><div>Thank you</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 8 November 2016 at 07:56, Martin Babinsky <span dir="ltr"><<a href="mailto:mbabinsk@redhat.com" target="_blank">mbabinsk@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 11/07/2016 04:45 PM, Alessandro De Maria wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Hi Martin,<br>
<br>
I tried from the host I am executing the script from, and I get:<br>
certutil -L -d /etc/httpd/alias/<br>
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The<br>
certificate/key database is in an old, unsupported format.<br>
<br>
<br>
>From the FreeIPA server, as I said previously, I get:<br>
<br>
certutil -L -d /etc/httpd/alias/<br>
<br>
Certificate Nickname Trust<br>
Attributes<br>
<br>
SSL,S/MIME,JAR/XPI<br>
<br>
Signing-Cert u,u,u<br>
ipaCert u,u,u<br>
Server-Cert u,u,u<br>
</span><a href="http://PROD.XXXXXXXXXXXXX.COM" rel="noreferrer" target="_blank">PROD.XXXXXXXXXXXXX.COM</a> <<a href="http://prod.xxxxxxxxxxxxx.com/" rel="noreferrer" target="_blank">http://prod.xxxxxxxxxxxxx.com<wbr>/</a>> IPA CA<span class=""><br>
CT,C,C<br>
<br>
<br>
>From the FreeIPA server, I seem to be able to run the script, so we are<br>
definitely on the right track.<br>
How do I get the /etc/httpd/alias/ in sync across these hosts? can I<br>
copy it, or is there a way to regenerate it?<br>
<br>
Regards<br>
Alessandro<br>
<br>
On 7 November 2016 at 15:36, Alessandro De Maria<br></span><span class="">
<<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a> <mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a>>> wrote:<br>
<br>
Hi Martin, this is the output from the id1 host:<br>
<br>
certutil -L -d /etc/httpd/alias/<br>
<br>
Certificate Nickname Trust<br>
Attributes<br>
<br>
SSL,S/MIME,JAR/XPI<br>
<br>
Signing-Cert u,u,u<br>
ipaCert u,u,u<br>
Server-Cert u,u,u<br></span>
<a href="http://PROD.XXXXXXXXXXXXX.COM" rel="noreferrer" target="_blank">PROD.XXXXXXXXXXXXX.COM</a> <<a href="http://PROD.XXXXXXXXXXXXX.COM" rel="noreferrer" target="_blank">http://PROD.XXXXXXXXXXXXX.COM</a><wbr>> IPA CA<span class=""><br>
CT,C,C<br>
<br>
<br>
looks just like you suggested. Any other suggestion?<br>
<br>
On 7 November 2016 at 10:56, Martin Babinsky <<a href="mailto:mbabinsk@redhat.com" target="_blank">mbabinsk@redhat.com</a><br></span><span class="">
<mailto:<a href="mailto:mbabinsk@redhat.com" target="_blank">mbabinsk@redhat.com</a>>> wrote:<br>
<br>
On 11/04/2016 04:52 PM, Alessandro De Maria wrote:<br>
<br>
Hello,<br>
<br>
I have a FreeIPA installation that is working very nicely,<br>
we already<br>
have configured many hosts and so far we are quite happy<br>
with it.<br>
<br>
I was trying to connect Ansible to fetch hosts from FreeIPA<br>
using the<br>
freeipa.py script<br>
(<a href="https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py" rel="noreferrer" target="_blank">https://github.com/ansible/an<wbr>sible/blob/devel/contrib/inven<wbr>tory/freeipa.py</a><br></span>
<<a href="https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py" rel="noreferrer" target="_blank">https://github.com/ansible/an<wbr>sible/blob/devel/contrib/inven<wbr>tory/freeipa.py</a>>)<div><div class="h5"><br>
<br>
Unfortunately when I run it, I get the following:<br>
<br>
*ipa: ERROR: cert validation failed for<br>
"CN=id1.prod.**xxxxxxxx**.com,<wbr>O=<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">PROD.xxxxxxxx.COM</a><br>
<<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>><br>
<<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's<br>
certificate issuer has been marked as not trusted by the user.)*<br>
*ipa: ERROR: cert validation failed for<br>
"CN=id2.prod.**xxxxxxxx**.com,<wbr>O=<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">PROD.xxxxxxxx.COM</a><br>
<<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>><br>
<<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's<br>
certificate issuer has been marked as not trusted by the user.)*<br>
*Traceback (most recent call last):*<br>
* File "./freeipa.py", line 82, in <module>*<br>
* api = initialize()*<br>
* File "./freeipa.py", line 17, in initialize*<br>
* api.Backend.rpcclient.connect(<wbr>)*<br>
* File<br>
"/usr/lib/python2.7/dist-packa<wbr>ges/ipalib/backend.py", line 66,<br>
in connect*<br>
* conn = self.create_connection(*args, **kw)*<br>
* File "/usr/lib/python2.7/dist-packa<wbr>ges/ipalib/rpc.py",<br>
line 939, in<br>
create_connection*<br>
* error=', '.join(urls))*<br>
*ipalib.errors.NetworkError: cannot connect to 'any of the<br>
configured<br>
servers': <a href="https://id1.prod." rel="noreferrer" target="_blank">https://id1.prod.</a>**xxxxxxxx**.<wbr>com/ipa/json,<br>
<a href="https://id2.prod." rel="noreferrer" target="_blank">https://id2.prod.</a>**xxxxxxxx**.<wbr>com/ipa/json*<br>
<br>
<br>
If I curl the URL, it works just fine ( I imported the CA<br>
Certificate in<br>
the system directory /etc/ssl/certs).<br>
<br>
I have run `openssl s_client` connect and downloaded the remote<br>
certificate locally, then I run:<br>
<br>
# openssl verify cert.pem<br>
# *id1.prod.**xxxxxxxx**.com.pem<wbr>*: OK<br>
<br>
<br>
Would you help me figure out what's going on?<br>
<br>
<br>
<br>
--<br>
Alessandro De Maria<br>
<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a><br>
<mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a>><br></div></div>
<mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a><span class=""><br>
<mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a>>><br>
<br>
<br>
<br>
Hi Alessandro,<br>
<br>
this error can mean that the CA certificate in IPA NSS database<br>
has wrong trust flags set. Please make sure that there is IPA CA<br>
certificate present on /etc/httpd/alias and it has trust flags<br>
CT,C,C like this:<br>
<br>
# certutil -L -d /etc/httpd/alias/<br>
<br>
Certificate Nickname<br>
Trust Attributes<br>
<br>
SSL,S/MIME,JAR/XPI<br>
<br>
ipaCert u,u,u<br>
Server-Cert u,u,u<br>
<$REALM> IPA CA CT,C,C<br>
<br>
--<br>
Martin^3 Babinsky<br>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-users</a><br>
<<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailma<wbr>n/listinfo/freeipa-users</a>><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
<br>
<br>
<br>
<br>
--<br>
Alessandro De Maria<br></span>
<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a> <mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a>><br>
<br>
<br>
<br>
<br>
--<br>
Alessandro De Maria<br>
<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a> <mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a>><br>
</blockquote>
<br>
Alessandro,<br>
<br>
I have just realized that this may be client-side problem. On the executor you may need to import CA certificate from IPA server to local /etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file.<br>
<br>
Or you can just enroll the node as IPA client and it will set up all this stuff for you.<span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Martin^3 Babinsky<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Alessandro De Maria<br><a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a></div>
</div>