<div dir="ltr">Thank you Rob and Martin,<div> </div><div>the correct place on Ubuntu seems to be:</div><div>/etc/pki/nssdb/</div><div> </div><div>This directory does not seem to be initialised by the ipa-client-install tool.</div><div> </div><div> </div><div>Now my script still doesn't work, but offer brand new errors :)</div><div> </div><div>Thank you</div></div><div class="gmail_extra"> <div class="gmail_quote">On 8 November 2016 at 14:55, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Alessandro De Maria wrote: > Hello Martin, > > still no luck unfortunately. > > The client is an ubuntu 14.04 server, and I believe it is enrolled already. > > The /etc/ipa/ca.pem is correct and already installed, and I even added > it to the /etc/ssl/certs directory (which is why my curl command in the > first email does not complain) The client normally uses /etc/ipa/nssdb for NSS. I'm not sure how this is handled on Ubuntu clients but you'll need to confirm that whatever Ubuntu uses exists and has the IPA CA certificate installed. rob > > Commands like /kinit/ work just fine, and I have never experienced a > problem which would make me doubt of the enrollment of this client. > > > I run the following commands: > # mkdir /etc/ipa/nssdb > # certutil -A -d /etc/ipa/nssdb -n '<a href="http://PROD.XXXXXXXXX.COM" rel="noreferrer" target="_blank">PROD.XXXXXXXXX.COM</a> > <<a href="http://PROD.XXXXXXXXX.COM" rel="noreferrer" target="_blank">http://PROD.XXXXXXXXX.COM</a>> IPA CA' -t CT,C,C -a < /etc/ipa/ca.crt > # chmod +r /etc/ipa/nssdb/* > # certutil -L -d /etc/ipa/nssdb > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > <a href="http://PROD.XXXXXXXX.COM" rel="noreferrer" target="_blank">PROD.XXXXXXXX.COM</a> <<a href="http://PROD.XXXXXXXX.COM" rel="noreferrer" target="_blank">http://PROD.XXXXXXXX.COM</a>> IPA CA > CT,C,C > > But I am still unable to run the script. > Is there anything else I need to do? Do I need to restart some > components? Any log I could look into? > > Thank you > > > On 8 November 2016 at 07:56, Martin Babinsky <<a href="mailto:mbabinsk@redhat.com">mbabinsk@redhat.com</a> > <mailto:<a href="mailto:mbabinsk@redhat.com">mbabinsk@redhat.com</a>>> wrote: > > On 11/07/2016 04:45 PM, Alessandro De Maria wrote: > > Hi Martin, > > I tried from the host I am executing the script from, and I get: > certutil -L -d /etc/httpd/alias/ > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The > certificate/key database is in an old, unsupported format. > > > >From the FreeIPA server, as I said previously, I get: > > certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Signing-Cert u,u,u > ipaCert u,u,u > Server-Cert u,u,u > <a href="http://PROD.XXXXXXXXXXXXX.COM" rel="noreferrer" target="_blank">PROD.XXXXXXXXXXXXX.COM</a> <<a href="http://PROD.XXXXXXXXXXXXX.COM" rel="noreferrer" target="_blank">http://PROD.XXXXXXXXXXXXX.COM</a>> > <<a href="http://prod.xxxxxxxxxxxxx.com/" rel="noreferrer" target="_blank">http://prod.xxxxxxxxxxxxx.com/</a> > <<a href="http://prod.xxxxxxxxxxxxx.com/" rel="noreferrer" target="_blank">http://prod.xxxxxxxxxxxxx.com/</a>>> IPA CA > CT,C,C > > > >From the FreeIPA server, I seem to be able to run the script, so we are > definitely on the right track. > How do I get the /etc/httpd/alias/ in sync across these hosts? can I > copy it, or is there a way to regenerate it? > > Regards > Alessandro > > On 7 November 2016 at 15:36, Alessandro De Maria > <<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>>>> wrote: > > Hi Martin, this is the output from the id1 host: > > certutil -L -d /etc/httpd/alias/ > > Certificate Nickname > Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Signing-Cert > u,u,u > ipaCert > u,u,u > Server-Cert > u,u,u > <a href="http://PROD.XXXXXXXXXXXXX.COM" rel="noreferrer" target="_blank">PROD.XXXXXXXXXXXXX.COM</a> <<a href="http://PROD.XXXXXXXXXXXXX.COM" rel="noreferrer" target="_blank">http://PROD.XXXXXXXXXXXXX.COM</a>> > <<a href="http://PROD.XXXXXXXXXXXXX.COM" rel="noreferrer" target="_blank">http://PROD.XXXXXXXXXXXXX.COM</a>> IPA CA > CT,C,C > > > looks just like you suggested. Any other suggestion? > > On 7 November 2016 at 10:56, Martin Babinsky > <<a href="mailto:mbabinsk@redhat.com">mbabinsk@redhat.com</a> <mailto:<a href="mailto:mbabinsk@redhat.com">mbabinsk@redhat.com</a>> > <mailto:<a href="mailto:mbabinsk@redhat.com">mbabinsk@redhat.com</a> <mailto:<a href="mailto:mbabinsk@redhat.com">mbabinsk@redhat.com</a>>>> <div><div class="h5">> wrote: > > On 11/04/2016 04:52 PM, Alessandro De Maria wrote: > > Hello, > > I have a FreeIPA installation that is working very > nicely, > we already > have configured many hosts and so far we are quite happy > with it. > > I was trying to connect Ansible to fetch hosts from > FreeIPA > using the > freeipa.py script > > (<a href="https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py" rel="noreferrer" target="_blank">https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py</a> > <<a href="https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py" rel="noreferrer" target="_blank">https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py</a>> > > <<a href="https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py" rel="noreferrer" target="_blank">https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py</a> > <<a href="https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py" rel="noreferrer" target="_blank">https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py</a>>>) > > > Unfortunately when I run it, I get the following: > > *ipa: ERROR: cert validation failed for > "CN=id1.prod.**xxxxxxxx**.com,O=<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">PROD.xxxxxxxx.COM</a> > <<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>> > <<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>> > <<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>>" > ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's > certificate issuer has been marked as not trusted by > the user.)* > *ipa: ERROR: cert validation failed for > "CN=id2.prod.**xxxxxxxx**.com,O=<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">PROD.xxxxxxxx.COM</a> > <<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>> > <<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>> > <<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>>" > ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's > certificate issuer has been marked as not trusted by > the user.)* > *Traceback (most recent call last):* > * File "./freeipa.py", line 82, in <module>* > * api = initialize()* > * File "./freeipa.py", line 17, in initialize* > * api.Backend.rpcclient.connect()* > * File > > "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66, > in connect* > * conn = self.create_connection(*args, **kw)* > * File > "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", > line 939, in > create_connection* > * error=', '.join(urls))* > *ipalib.errors.NetworkError: cannot connect to 'any > of the > configured > servers': <a href="https://id1.prod." rel="noreferrer" target="_blank">https://id1.prod.</a>**xxxxxxxx**.com/ipa/json, > <a href="https://id2.prod." rel="noreferrer" target="_blank">https://id2.prod.</a>**xxxxxxxx**.com/ipa/json* > > > If I curl the URL, it works just fine ( I imported > the CA > Certificate in > the system directory /etc/ssl/certs). > > I have run `openssl s_client` connect and downloaded > the remote > certificate locally, then I run: > > # openssl verify cert.pem > # *id1.prod.**xxxxxxxx**.com.pem*: OK > > > Would you help me figure out what's going on? > > > > -- > Alessandro De Maria > <a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>>> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>>>> > > > > Hi Alessandro, > > this error can mean that the CA certificate in IPA NSS > database > has wrong trust flags set. Please make sure that there > is IPA CA > certificate present on /etc/httpd/alias and it has trust > flags > CT,C,C like this: > > # certutil -L -d /etc/httpd/alias/ > > Certificate Nickname > Trust Attributes > > SSL,S/MIME,JAR/XPI > > ipaCert > u,u,u > Server-Cert > u,u,u > <$REALM> IPA CA > CT,C,C > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a>> > <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a>>> > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project > > > > > -- > Alessandro De Maria > <a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>> </div></div>> <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>>> > > > > > -- > Alessandro De Maria > <a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a> > <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>>> > > > Alessandro, > > I have just realized that this may be client-side problem. On the > executor you may need to import CA certificate from IPA server to > local /etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file. > > Or you can just enroll the node as IPA client and it will set up all > this stuff for you. > > -- > Martin^3 Babinsky > > > > > -- > Alessandro De Maria > <a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a> <mailto:<a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>> > > </blockquote></div> <div> </div>-- <div class="gmail_signature" data-smartmail="gmail_signature">Alessandro De Maria <a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a></div> </div>