[Freeipa-users] Certificate system unavailable

Rob Crittenden rcritten at redhat.com
Fri Feb 14 16:18:27 UTC 2014 

Sigbjorn Lie wrote:
>
>
>
> On Fri, February 14, 2014 15:29, Rob Crittenden wrote:
>> Sigbjorn Lie wrote:
>>
>>>
>>>
>>> It would seem like we're still encountering some issues. The date has now passed for when the
>>> old certificate expired, and the "ipa" cli command no longer works. The webui is still working
>>> just fine.
>>>
>>> These are the errors I receive.
>>>
>>>
>>> $ ipa user-find
>>> ipa: ERROR: cert validation failed for "CN=serveripa03.example.com,O=EXAMPLE.COM"
>>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the
>>> user.) ipa: ERROR: cert validation failed for "CN=serveripa01.example.com,O=EXAMPLE.COM"
>>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the
>>> user.) ipa: ERROR: cert validation failed for "CN=serveripa02.example.com,O=EXAMPLE.COM"
>>> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the
>>> user.) ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa',
>>> localedir=None): https://serveripa03.example.com/ipa/xml,
>>> https://serveripa01.example.com/ipa/xml,
>>> https://serveripa02.example.com/ipa/xml
>>>
>>
>> This seems more like a client-side issue. Can you confirm that
>> /etc/ipa/ca.crt is correct and that the NSS database in /etc/pki/nssdb
>> contains the CA?
>>
>> certutil -L -d /etc/pki/nssdb -n 'IPA CA'
>>
>
>
> The CA seem to be available. I ran the command on ipa01. See below for the output.
>
> The issue happens when I'm logged on to any of the ipa servers, and if I'm running the ipa command
> from a remote machine.
>
>
> ]$ sudo certutil -L -d /etc/pki/nssdb -n 'IPA CA'
> Certificate:
>      Data:
>          Version: 3 (0x2)
>          Serial Number: 1 (0x1)
>          Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>          Issuer: "CN=Certificate Authority,O=EXAMPLE.COM"
>          Validity:
>              Not Before: Thu Jan 19 19:44:21 2012
>              Not After : Sun Jan 19 19:44:21 2020
>          Subject: "CN=Certificate Authority,O=EXAMPLE.COM"
>          Subject Public Key Info:
>              Public Key Algorithm: PKCS #1 RSA Encryption
>              RSA Public Key:
>                  Modulus:

Perhaps we can brute force things to see what is going on. We can pass 
some extra options to the ipa tool to get ultra verbose output:

$ ipa -vv -e debug=True user-show admin

The thing to do is to check the server that it is communicating with and 
check /var/log/httpd/errors to see if there is an equivalent error 
logged there.

rob

More information about the Freeipa-users mailing list