[Freeipa-users] Certificate system unavailable
Rob Crittenden
rcritten at redhat.com
Tue Feb 18 19:45:52 UTC 2014
Sigbjorn Lie wrote:
>> On what machine are you trying to use the ipa tool? Is it one of the
>> masters, all of them, enrolled clients?
>>
>
> It's the same error message when the "ipa" command is run directly on any of the masters.
>
> And it's the same error message if I run the "ipa" command on any of the clients.
>
> I do not have a working "ipa" command anywhere anymore.
Ok, let's test out the cert that ipa is using. Try this on any one of
the masters:
$ curl https://`hostname`/ipa/xml
Should fail with Peer certificate cannot be authenticated with known CA
certificates
$ curl --cacert /etc/ipa/ca.crt https://`hostname`/ipa/xml
Should succeed in that you get the "you are not logged in" HTML page
Ok, now unfortunately curl only handles the sql-style NSS databases so
we can't fully reproduce it the same way that the IPA client is doing
things, but here is an approximation:
# certutil -A -d sql:/etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i
/etc/ipa/ca.crt
$ curl https://`hostname`/ipa/xml
You should see the login page HTML
If you stick a -v in there it'll give you more verbose output which
would be useful if any of these fail in an unexpected way.
>> Whatever is going on isn't likely related to the web server Apache
>> database as you get the same error out of each one. The client log you sent confirmed that it tried
>> to contact each master. The SSL error we're getting is that the client doesn't trust the CA that
>> signed the server certificate so this appears to be a problem on the client, which begs the
>> question: all clients or just this one?
>>
>
> All clients.
>
>
>>
>> NSS is smart enough to handle multiple certificates, it should pick the
>> newest one on startup.
>>
>
> Ok.
>
> Where do you suggest I continue troubleshooting this issue?
We can also tackle this on the server side. Let's verify the server cert:
# certutil -V -u V -n Server-Cert -d /etc/httpd/alias
This is verified on server startup so I expect it to be valid, but
doesn't hurt to try.
Restarting the Apache process might be something to try as changes to
the NSS database aren't picked up until a restart.
More information about the Freeipa-users
mailing list