[Freeipa-users] can't register new clients

Martin Kosek mkosek at redhat.com
Tue Dec 9 09:18:42 UTC 2014 

On 12/08/2014 08:00 PM, Megan . wrote:
> I looked through the logs on the server and i see the below error in
> the apache error log when i try to register a client:
> 
> [Mon Dec 08 12:20:38 2014] [error] SSL Library Error: -12195 Peer does
> not recognize and trust the CA that issued your certificate
> 
> 
> I ran ipa-getcert list and everything seems ok (nothing expired) but
> i'm not sure where to troubleshoot from here.

The next step would be to check the actual HTTP certificate (on the client
machine) and see what's wrong. I did a simple test you can follow:

# wget http://ipa.mkosek-f21.test/ipa/config/ca.crt -O /tmp/ipa.crt
# openssl s_client -host ipa.mkosek-f21.test -port 443 -CAfile /tmp/ipa.crt
CONNECTED(00000003)
depth=1 O = MKOSEK-F21.TEST, CN = Certificate Authority
verify return:1
depth=0 O = MKOSEK-F21.TEST, CN = ipa.mkosek-f21.test
verify return:1
---
Certificate chain
 0 s:/O=MKOSEK-F21.TEST/CN=ipa.mkosek-f21.test
   i:/O=MKOSEK-F21.TEST/CN=Certificate Authority
 1 s:/O=MKOSEK-F21.TEST/CN=Certificate Authority
   i:/O=MKOSEK-F21.TEST/CN=Certificate Authority
---
Server certificate
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA
    Session-ID: 5A4B326D2E8FB80408D628D1975C49C4F78D3E65F31E475F9E7B9BBBE11F576E
    Session-ID-ctx:
    Master-Key:
D5C31E9E36503ADC9F162439B41A7A608260D7DF5EB357FB3D79C9CFAE700912526893E7DD9AA56F5B6CD320FBA98C49
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1418073191
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

> 
> 
> 
> On Fri, Dec 5, 2014 at 7:51 PM, Megan . <nagemnna at gmail.com> wrote:
>> It failed again.
>>
>>
>> [root at cache2-uat ~]# certutil -L -d sql:/etc/pki/nssdb
>>
>> Certificate Nickname                                         Trust Attributes
>>                                                              SSL,S/MIME,JAR/XPI
>> [root at cache2-uat ~]#
>>
>> Not sure if its related, but on the directory server in the apache
>> error.log I see the below every time a client tries to register:
>>
>> [Sat Dec 06 00:48:35 2014] [error] SSL Library Error: -12271 SSL
>> client cannot verify your certificate
>>
>> On the directory server i ran ipa-getcert list and the certs seem ok.
>>
>>
>>
>> On Fri, Dec 5, 2014 at 5:10 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>> Megan . wrote:
>>>> Sorry for being unclear. It still fails.  Same error.
>>>
>>> Hmm, strange. Try being explicit about sql:
>>>
>>> # certutil -L -d sql:/etc/pki/nssdb
>>>
>>> And if there is a CA cert there, delete it.
>>>
>>> rob
>>>
>>>>
>>>> On Dec 5, 2014 4:39 PM, "Rob Crittenden" <rcritten at redhat.com
>>>> <mailto:rcritten at redhat.com>> wrote:
>>>>
>>>>     Megan . wrote:
>>>>     > Thanks.
>>>>     >
>>>>     > I did have an issue last week where i tried to do the client install
>>>>     > and it failed because of a firewall issue.  Networks has it opened
>>>>     > now.  I deleted ca.crt before trying again.  There doesn't seem to be
>>>>     > a certificate in /etc/pki/nssdb for it.
>>>>     >
>>>>     >
>>>>     >
>>>>     > [root at data2-uat ipa]# certutil -L -d /etc/pki/nssdb
>>>>     >
>>>>     >
>>>>     > Certificate Nickname                                         Trust
>>>>     Attributes
>>>>     >
>>>>     >
>>>>     SSL,S/MIME,JAR/XPI
>>>>     >
>>>>     >
>>>>     > [root at data2-uat ipa]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb
>>>>     >
>>>>     > certutil: could not find certificate named "IPA CA":
>>>>     > SEC_ERROR_BAD_DATABASE: security library: bad database.
>>>>     >
>>>>     > [root at data2-uat ipa]# ls
>>>>     >
>>>>     > [root at data2-uat ipa]# pwd
>>>>     >
>>>>     > /etc/ipa
>>>>     >
>>>>     > [root at data2-uat ipa]# ls -al
>>>>     >
>>>>     > total 16
>>>>     >
>>>>     > drwxr-xr-x.  2 root root  4096 Dec  5 21:16 .
>>>>     >
>>>>     > drwxr-xr-x. 82 root root 12288 Dec  5 21:16 ..
>>>>     >
>>>>     > [root at data2-uat ipa]#
>>>>
>>>>     So trying to install the client again fails or succeeds now?
>>>>
>>>>     rob
>>>>
>>>>     >
>>>>     > On Fri, Dec 5, 2014 at 4:03 PM, Rob Crittenden
>>>>     <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>>>     >> Rob Crittenden wrote:
>>>>     >>> Megan . wrote:
>>>>     >>>> Good Day!
>>>>     >>>>
>>>>     >>>> I am getting an error when i register new clients.
>>>>     >>>>
>>>>     >>>> libcurl failed to execute the HTTP POST transaction.  SSL
>>>>     connect error
>>>>     >>>>
>>>>     >>>> I can't find anything useful not the internet about the error.  Can
>>>>     >>>> someone help me troubleshoot?
>>>>     >>>>
>>>>     >>>> CentOS 6.6  x64
>>>>     >>>> ipa-client-3.0.0-42.el6.centos.x86_64
>>>>     >>>> ipa-server-3.0.0-42.el6.centos.x86_64
>>>>     >>>> curl-7.19.7-40.el6_6.1.x86_64
>>>>     >>>
>>>>     >>> Do you have NSS_DEFAULT_DB_TYPE set to sql? I don't know that
>>>>     we've done
>>>>     >>> any testing on the client with this set.
>>>>     >>
>>>>     >> Never mind, that's not it. The problem is:
>>>>     >>
>>>>     >> * NSS error -8054
>>>>     >>
>>>>     >> Which is SEC_ERROR_REUSED_ISSUER_AND_SERIAL
>>>>     >>
>>>>     >> So I'd do this:
>>>>     >>
>>>>     >> # rm /etc/ipa/ca.crt
>>>>     >>
>>>>     >> You may also want to ensure that the IPA CA certificate isn't in
>>>>     >> /etc/pki/nssdb:
>>>>     >>
>>>>     >> # certutil -L -d /etc/pki/nssdb
>>>>     >>
>>>>     >> And then perhaps
>>>>     >>
>>>>     >> # certutil -D -n 'IPA CA' -d /etc/pki/nssdb
>>>>     >>
>>>>     >> rob
>>>>     >>
>>>>
>>>
>

More information about the Freeipa-users mailing list