[Freeipa-users] Crazy Cert problem?
Janelle
janellenicole80 at gmail.com
Wed Jun 17 13:43:40 UTC 2015
On 6/17/15 6:21 AM, Rob Crittenden wrote:
> Janelle wrote:
>> On 6/17/15 6:14 AM, Rob Crittenden wrote:
>>> Janelle wrote:
>>>> Hi,
>>>>
>>>> Had a server - named ipa001.example.com -- it was a replica. It
>>>> died. It
>>>> was re-installed. However, prior to the re-install it was saying the
>>>> wonderful:
>>>>
>>>> TLS error -8172:Peer's certificate issuer has been marked as not
>>>> trusted
>>>> by the user.
>>>>
>>>> It was rebuilt - new OS and doing a brand new ipa-server-install
>>>> (NOT a
>>>> replica or trying to join it back in to the existing ring of servers)
>>>> and at the end of the ipa-server-install - it gives:
>>>>
>>>> Done.
>>>> Restarting the directory server
>>>> Restarting the KDC
>>>> Restarting the certificate server
>>>> Restarting the web server
>>>> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h'
>>>> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y'
>>>> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs'
>>>> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero
>>>> exit status 1
>>>> Configuration of client side components failed!
>>>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
>>>> '--on-master' '--unattended' '--domain' 'example.com' '--server'
>>>> 'ipa001.example.com' '--realm' 'example.com' '--hostname'
>>>> 'ipa001.example.com'' returned non-zero exit status 1
>>>>
>>>> and checking /var/log/ipaclient-install.log - the exact same TLS
>>>> error????
>>>>
>>>> But this is a brand new system, with brand new OS and the install was
>>>> ipa-server-install to install a clean server.
>>>>
>>>> I don't understand how this is happening. There is no "peer" to be not
>>>> trusted?
>>>
>>> What version of IPA and distro? (I don't think that probably has
>>> anything to do with it, just curious in case it does eventually
>>> matter).
>>>
>>> What does /etc/openldap/ldap.conf look like? Normally it should have
>>> TLS_CACERT /etc/ipa/ca.crt
>>>
>>> Any chance you can share the server and client install logs?
>>>
>>> rob
>> 4.1.4 = IPA
>> CentOS 7.1
>>
>> Oooh... Found something: /etc/openldap/ldap.conf:
>>
>> TLS_CACERTDIR /etc/openldap/certs
>>
>> Going to investigate.
>> ~J
>>
>
> That should be fine assuming there aren't any certs in there (and on a
> brand new system I'd think you'd have empty NSS databases).
>
> rob
Well I was able to get another server stood up, but now if I go back to
the server I was TRYING to set up and add it as a replica:
<all good to here -- then>
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipa002.example.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
Connection check OK
Using reverse zone(s) 202.161.17.in-addr.arpa.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-install.log for details:
NetworkError: cannot connect to 'ldaps://ipa001.example.com': TLS error
-8172:Peer's certificate issuer has been marked as not trusted by the user.
========================
ipareplica-install.log below:
2015-06-17T13:37:48Z DEBUG stderr=
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
2015-06-17T13:37:48Z DEBUG importing all plugin modules in
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins'...
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/baseupdate.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/ca_renewal_master.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_replica_agreements.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/rename_managed.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_idranges.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_pacs.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_passsync.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_referint.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_services.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_uniqueness.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py'
2015-06-17T13:37:48Z DEBUG importing plugin module
'/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py'
2015-06-17T13:37:49Z DEBUG group dirsrv exists
2015-06-17T13:37:49Z DEBUG user dirsrv exists
2015-06-17T13:37:49Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 642, in run_script
return_value = main_function()
File "/usr/sbin/ipa-replica-install", line 626, in main
tls_cacertfile=cafile)
File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 63,
in connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 169, in create_connection
clientctrls=clientctrls)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1206, in error_handler
error=info)
2015-06-17T13:37:49Z DEBUG The ipa-replica-install command failed,
exception: NetworkError: cannot connect to 'ldaps://ipa001.example.com':
TLS error -8172:Peer's certificate issuer has been marked as not trusted
by the user.
More information about the Freeipa-users
mailing list