[Freeipa-users] can't register new clients
Martin Kosek
mkosek at redhat.com
Tue Dec 9 09:18:42 UTC 2014
On 12/08/2014 08:00 PM, Megan . wrote:
> I looked through the logs on the server and i see the below error in
> the apache error log when i try to register a client:
>
> [Mon Dec 08 12:20:38 2014] [error] SSL Library Error: -12195 Peer does
> not recognize and trust the CA that issued your certificate
>
>
> I ran ipa-getcert list and everything seems ok (nothing expired) but
> i'm not sure where to troubleshoot from here.
The next step would be to check the actual HTTP certificate (on the client
machine) and see what's wrong. I did a simple test you can follow:
# wget http://ipa.mkosek-f21.test/ipa/config/ca.crt -O /tmp/ipa.crt
# openssl s_client -host ipa.mkosek-f21.test -port 443 -CAfile /tmp/ipa.crt
CONNECTED(00000003)
depth=1 O = MKOSEK-F21.TEST, CN = Certificate Authority
verify return:1
depth=0 O = MKOSEK-F21.TEST, CN = ipa.mkosek-f21.test
verify return:1
---
Certificate chain
0 s:/O=MKOSEK-F21.TEST/CN=ipa.mkosek-f21.test
i:/O=MKOSEK-F21.TEST/CN=Certificate Authority
1 s:/O=MKOSEK-F21.TEST/CN=Certificate Authority
i:/O=MKOSEK-F21.TEST/CN=Certificate Authority
---
Server certificate
...
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 5A4B326D2E8FB80408D628D1975C49C4F78D3E65F31E475F9E7B9BBBE11F576E
Session-ID-ctx:
Master-Key:
D5C31E9E36503ADC9F162439B41A7A608260D7DF5EB357FB3D79C9CFAE700912526893E7DD9AA56F5B6CD320FBA98C49
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1418073191
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
>
>
>
> On Fri, Dec 5, 2014 at 7:51 PM, Megan . <nagemnna at gmail.com> wrote:
>> It failed again.
>>
>>
>> [root at cache2-uat ~]# certutil -L -d sql:/etc/pki/nssdb
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>> [root at cache2-uat ~]#
>>
>> Not sure if its related, but on the directory server in the apache
>> error.log I see the below every time a client tries to register:
>>
>> [Sat Dec 06 00:48:35 2014] [error] SSL Library Error: -12271 SSL
>> client cannot verify your certificate
>>
>> On the directory server i ran ipa-getcert list and the certs seem ok.
>>
>>
>>
>> On Fri, Dec 5, 2014 at 5:10 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>> Megan . wrote:
>>>> Sorry for being unclear. It still fails. Same error.
>>>
>>> Hmm, strange. Try being explicit about sql:
>>>
>>> # certutil -L -d sql:/etc/pki/nssdb
>>>
>>> And if there is a CA cert there, delete it.
>>>
>>> rob
>>>
>>>>
>>>> On Dec 5, 2014 4:39 PM, "Rob Crittenden" <rcritten at redhat.com
>>>> <mailto:rcritten at redhat.com>> wrote:
>>>>
>>>> Megan . wrote:
>>>> > Thanks.
>>>> >
>>>> > I did have an issue last week where i tried to do the client install
>>>> > and it failed because of a firewall issue. Networks has it opened
>>>> > now. I deleted ca.crt before trying again. There doesn't seem to be
>>>> > a certificate in /etc/pki/nssdb for it.
>>>> >
>>>> >
>>>> >
>>>> > [root at data2-uat ipa]# certutil -L -d /etc/pki/nssdb
>>>> >
>>>> >
>>>> > Certificate Nickname Trust
>>>> Attributes
>>>> >
>>>> >
>>>> SSL,S/MIME,JAR/XPI
>>>> >
>>>> >
>>>> > [root at data2-uat ipa]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb
>>>> >
>>>> > certutil: could not find certificate named "IPA CA":
>>>> > SEC_ERROR_BAD_DATABASE: security library: bad database.
>>>> >
>>>> > [root at data2-uat ipa]# ls
>>>> >
>>>> > [root at data2-uat ipa]# pwd
>>>> >
>>>> > /etc/ipa
>>>> >
>>>> > [root at data2-uat ipa]# ls -al
>>>> >
>>>> > total 16
>>>> >
>>>> > drwxr-xr-x. 2 root root 4096 Dec 5 21:16 .
>>>> >
>>>> > drwxr-xr-x. 82 root root 12288 Dec 5 21:16 ..
>>>> >
>>>> > [root at data2-uat ipa]#
>>>>
>>>> So trying to install the client again fails or succeeds now?
>>>>
>>>> rob
>>>>
>>>> >
>>>> > On Fri, Dec 5, 2014 at 4:03 PM, Rob Crittenden
>>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>>> >> Rob Crittenden wrote:
>>>> >>> Megan . wrote:
>>>> >>>> Good Day!
>>>> >>>>
>>>> >>>> I am getting an error when i register new clients.
>>>> >>>>
>>>> >>>> libcurl failed to execute the HTTP POST transaction. SSL
>>>> connect error
>>>> >>>>
>>>> >>>> I can't find anything useful not the internet about the error. Can
>>>> >>>> someone help me troubleshoot?
>>>> >>>>
>>>> >>>> CentOS 6.6 x64
>>>> >>>> ipa-client-3.0.0-42.el6.centos.x86_64
>>>> >>>> ipa-server-3.0.0-42.el6.centos.x86_64
>>>> >>>> curl-7.19.7-40.el6_6.1.x86_64
>>>> >>>
>>>> >>> Do you have NSS_DEFAULT_DB_TYPE set to sql? I don't know that
>>>> we've done
>>>> >>> any testing on the client with this set.
>>>> >>
>>>> >> Never mind, that's not it. The problem is:
>>>> >>
>>>> >> * NSS error -8054
>>>> >>
>>>> >> Which is SEC_ERROR_REUSED_ISSUER_AND_SERIAL
>>>> >>
>>>> >> So I'd do this:
>>>> >>
>>>> >> # rm /etc/ipa/ca.crt
>>>> >>
>>>> >> You may also want to ensure that the IPA CA certificate isn't in
>>>> >> /etc/pki/nssdb:
>>>> >>
>>>> >> # certutil -L -d /etc/pki/nssdb
>>>> >>
>>>> >> And then perhaps
>>>> >>
>>>> >> # certutil -D -n 'IPA CA' -d /etc/pki/nssdb
>>>> >>
>>>> >> rob
>>>> >>
>>>>
>>>
>
More information about the Freeipa-users
mailing list