[Freeipa-users] can't register new clients
Megan .
nagemnna at gmail.com
Mon Dec 8 19:00:52 UTC 2014
I looked through the logs on the server and i see the below error in
the apache error log when i try to register a client:
[Mon Dec 08 12:20:38 2014] [error] SSL Library Error: -12195 Peer does
not recognize and trust the CA that issued your certificate
I ran ipa-getcert list and everything seems ok (nothing expired) but
i'm not sure where to troubleshoot from here.
On Fri, Dec 5, 2014 at 7:51 PM, Megan . <nagemnna at gmail.com> wrote:
> It failed again.
>
>
> [root at cache2-uat ~]# certutil -L -d sql:/etc/pki/nssdb
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
> [root at cache2-uat ~]#
>
> Not sure if its related, but on the directory server in the apache
> error.log I see the below every time a client tries to register:
>
> [Sat Dec 06 00:48:35 2014] [error] SSL Library Error: -12271 SSL
> client cannot verify your certificate
>
> On the directory server i ran ipa-getcert list and the certs seem ok.
>
>
>
> On Fri, Dec 5, 2014 at 5:10 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Megan . wrote:
>>> Sorry for being unclear. It still fails. Same error.
>>
>> Hmm, strange. Try being explicit about sql:
>>
>> # certutil -L -d sql:/etc/pki/nssdb
>>
>> And if there is a CA cert there, delete it.
>>
>> rob
>>
>>>
>>> On Dec 5, 2014 4:39 PM, "Rob Crittenden" <rcritten at redhat.com
>>> <mailto:rcritten at redhat.com>> wrote:
>>>
>>> Megan . wrote:
>>> > Thanks.
>>> >
>>> > I did have an issue last week where i tried to do the client install
>>> > and it failed because of a firewall issue. Networks has it opened
>>> > now. I deleted ca.crt before trying again. There doesn't seem to be
>>> > a certificate in /etc/pki/nssdb for it.
>>> >
>>> >
>>> >
>>> > [root at data2-uat ipa]# certutil -L -d /etc/pki/nssdb
>>> >
>>> >
>>> > Certificate Nickname Trust
>>> Attributes
>>> >
>>> >
>>> SSL,S/MIME,JAR/XPI
>>> >
>>> >
>>> > [root at data2-uat ipa]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb
>>> >
>>> > certutil: could not find certificate named "IPA CA":
>>> > SEC_ERROR_BAD_DATABASE: security library: bad database.
>>> >
>>> > [root at data2-uat ipa]# ls
>>> >
>>> > [root at data2-uat ipa]# pwd
>>> >
>>> > /etc/ipa
>>> >
>>> > [root at data2-uat ipa]# ls -al
>>> >
>>> > total 16
>>> >
>>> > drwxr-xr-x. 2 root root 4096 Dec 5 21:16 .
>>> >
>>> > drwxr-xr-x. 82 root root 12288 Dec 5 21:16 ..
>>> >
>>> > [root at data2-uat ipa]#
>>>
>>> So trying to install the client again fails or succeeds now?
>>>
>>> rob
>>>
>>> >
>>> > On Fri, Dec 5, 2014 at 4:03 PM, Rob Crittenden
>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>> >> Rob Crittenden wrote:
>>> >>> Megan . wrote:
>>> >>>> Good Day!
>>> >>>>
>>> >>>> I am getting an error when i register new clients.
>>> >>>>
>>> >>>> libcurl failed to execute the HTTP POST transaction. SSL
>>> connect error
>>> >>>>
>>> >>>> I can't find anything useful not the internet about the error. Can
>>> >>>> someone help me troubleshoot?
>>> >>>>
>>> >>>> CentOS 6.6 x64
>>> >>>> ipa-client-3.0.0-42.el6.centos.x86_64
>>> >>>> ipa-server-3.0.0-42.el6.centos.x86_64
>>> >>>> curl-7.19.7-40.el6_6.1.x86_64
>>> >>>
>>> >>> Do you have NSS_DEFAULT_DB_TYPE set to sql? I don't know that
>>> we've done
>>> >>> any testing on the client with this set.
>>> >>
>>> >> Never mind, that's not it. The problem is:
>>> >>
>>> >> * NSS error -8054
>>> >>
>>> >> Which is SEC_ERROR_REUSED_ISSUER_AND_SERIAL
>>> >>
>>> >> So I'd do this:
>>> >>
>>> >> # rm /etc/ipa/ca.crt
>>> >>
>>> >> You may also want to ensure that the IPA CA certificate isn't in
>>> >> /etc/pki/nssdb:
>>> >>
>>> >> # certutil -L -d /etc/pki/nssdb
>>> >>
>>> >> And then perhaps
>>> >>
>>> >> # certutil -D -n 'IPA CA' -d /etc/pki/nssdb
>>> >>
>>> >> rob
>>> >>
>>>
>>
More information about the Freeipa-users
mailing list