[Freeipa-users] can't register new clients
Megan .
nagemnna at gmail.com
Sat Dec 6 00:51:46 UTC 2014
It failed again.
[root at cache2-uat ~]# certutil -L -d sql:/etc/pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
[root at cache2-uat ~]#
Not sure if its related, but on the directory server in the apache
error.log I see the below every time a client tries to register:
[Sat Dec 06 00:48:35 2014] [error] SSL Library Error: -12271 SSL
client cannot verify your certificate
On the directory server i ran ipa-getcert list and the certs seem ok.
On Fri, Dec 5, 2014 at 5:10 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Megan . wrote:
>> Sorry for being unclear. It still fails. Same error.
>
> Hmm, strange. Try being explicit about sql:
>
> # certutil -L -d sql:/etc/pki/nssdb
>
> And if there is a CA cert there, delete it.
>
> rob
>
>>
>> On Dec 5, 2014 4:39 PM, "Rob Crittenden" <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Megan . wrote:
>> > Thanks.
>> >
>> > I did have an issue last week where i tried to do the client install
>> > and it failed because of a firewall issue. Networks has it opened
>> > now. I deleted ca.crt before trying again. There doesn't seem to be
>> > a certificate in /etc/pki/nssdb for it.
>> >
>> >
>> >
>> > [root at data2-uat ipa]# certutil -L -d /etc/pki/nssdb
>> >
>> >
>> > Certificate Nickname Trust
>> Attributes
>> >
>> >
>> SSL,S/MIME,JAR/XPI
>> >
>> >
>> > [root at data2-uat ipa]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb
>> >
>> > certutil: could not find certificate named "IPA CA":
>> > SEC_ERROR_BAD_DATABASE: security library: bad database.
>> >
>> > [root at data2-uat ipa]# ls
>> >
>> > [root at data2-uat ipa]# pwd
>> >
>> > /etc/ipa
>> >
>> > [root at data2-uat ipa]# ls -al
>> >
>> > total 16
>> >
>> > drwxr-xr-x. 2 root root 4096 Dec 5 21:16 .
>> >
>> > drwxr-xr-x. 82 root root 12288 Dec 5 21:16 ..
>> >
>> > [root at data2-uat ipa]#
>>
>> So trying to install the client again fails or succeeds now?
>>
>> rob
>>
>> >
>> > On Fri, Dec 5, 2014 at 4:03 PM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>> >> Rob Crittenden wrote:
>> >>> Megan . wrote:
>> >>>> Good Day!
>> >>>>
>> >>>> I am getting an error when i register new clients.
>> >>>>
>> >>>> libcurl failed to execute the HTTP POST transaction. SSL
>> connect error
>> >>>>
>> >>>> I can't find anything useful not the internet about the error. Can
>> >>>> someone help me troubleshoot?
>> >>>>
>> >>>> CentOS 6.6 x64
>> >>>> ipa-client-3.0.0-42.el6.centos.x86_64
>> >>>> ipa-server-3.0.0-42.el6.centos.x86_64
>> >>>> curl-7.19.7-40.el6_6.1.x86_64
>> >>>
>> >>> Do you have NSS_DEFAULT_DB_TYPE set to sql? I don't know that
>> we've done
>> >>> any testing on the client with this set.
>> >>
>> >> Never mind, that's not it. The problem is:
>> >>
>> >> * NSS error -8054
>> >>
>> >> Which is SEC_ERROR_REUSED_ISSUER_AND_SERIAL
>> >>
>> >> So I'd do this:
>> >>
>> >> # rm /etc/ipa/ca.crt
>> >>
>> >> You may also want to ensure that the IPA CA certificate isn't in
>> >> /etc/pki/nssdb:
>> >>
>> >> # certutil -L -d /etc/pki/nssdb
>> >>
>> >> And then perhaps
>> >>
>> >> # certutil -D -n 'IPA CA' -d /etc/pki/nssdb
>> >>
>> >> rob
>> >>
>>
>
More information about the Freeipa-users
mailing list