[Freeipa-users] can't register new clients

Rob Crittenden rcritten at redhat.com
Fri Dec 5 22:10:53 UTC 2014 

Megan . wrote:
> Sorry for being unclear. It still fails.  Same error.

Hmm, strange. Try being explicit about sql:

# certutil -L -d sql:/etc/pki/nssdb

And if there is a CA cert there, delete it.

rob

> 
> On Dec 5, 2014 4:39 PM, "Rob Crittenden" <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
> 
>     Megan . wrote:
>     > Thanks.
>     >
>     > I did have an issue last week where i tried to do the client install
>     > and it failed because of a firewall issue.  Networks has it opened
>     > now.  I deleted ca.crt before trying again.  There doesn't seem to be
>     > a certificate in /etc/pki/nssdb for it.
>     >
>     >
>     >
>     > [root at data2-uat ipa]# certutil -L -d /etc/pki/nssdb
>     >
>     >
>     > Certificate Nickname                                         Trust
>     Attributes
>     >
>     >                                                             
>     SSL,S/MIME,JAR/XPI
>     >
>     >
>     > [root at data2-uat ipa]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb
>     >
>     > certutil: could not find certificate named "IPA CA":
>     > SEC_ERROR_BAD_DATABASE: security library: bad database.
>     >
>     > [root at data2-uat ipa]# ls
>     >
>     > [root at data2-uat ipa]# pwd
>     >
>     > /etc/ipa
>     >
>     > [root at data2-uat ipa]# ls -al
>     >
>     > total 16
>     >
>     > drwxr-xr-x.  2 root root  4096 Dec  5 21:16 .
>     >
>     > drwxr-xr-x. 82 root root 12288 Dec  5 21:16 ..
>     >
>     > [root at data2-uat ipa]#
> 
>     So trying to install the client again fails or succeeds now?
> 
>     rob
> 
>     >
>     > On Fri, Dec 5, 2014 at 4:03 PM, Rob Crittenden
>     <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>     >> Rob Crittenden wrote:
>     >>> Megan . wrote:
>     >>>> Good Day!
>     >>>>
>     >>>> I am getting an error when i register new clients.
>     >>>>
>     >>>> libcurl failed to execute the HTTP POST transaction.  SSL
>     connect error
>     >>>>
>     >>>> I can't find anything useful not the internet about the error.  Can
>     >>>> someone help me troubleshoot?
>     >>>>
>     >>>> CentOS 6.6  x64
>     >>>> ipa-client-3.0.0-42.el6.centos.x86_64
>     >>>> ipa-server-3.0.0-42.el6.centos.x86_64
>     >>>> curl-7.19.7-40.el6_6.1.x86_64
>     >>>
>     >>> Do you have NSS_DEFAULT_DB_TYPE set to sql? I don't know that
>     we've done
>     >>> any testing on the client with this set.
>     >>
>     >> Never mind, that's not it. The problem is:
>     >>
>     >> * NSS error -8054
>     >>
>     >> Which is SEC_ERROR_REUSED_ISSUER_AND_SERIAL
>     >>
>     >> So I'd do this:
>     >>
>     >> # rm /etc/ipa/ca.crt
>     >>
>     >> You may also want to ensure that the IPA CA certificate isn't in
>     >> /etc/pki/nssdb:
>     >>
>     >> # certutil -L -d /etc/pki/nssdb
>     >>
>     >> And then perhaps
>     >>
>     >> # certutil -D -n 'IPA CA' -d /etc/pki/nssdb
>     >>
>     >> rob
>     >>
>

More information about the Freeipa-users mailing list