[Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER
Alessandro De Maria
alessandro.demaria at gmail.com
Fri Nov 4 15:52:58 UTC 2016
Hello,
I have a FreeIPA installation that is working very nicely, we already have
configured many hosts and so far we are quite happy with it.
I was trying to connect Ansible to fetch hosts from FreeIPA using the
freeipa.py script (
https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py)
Unfortunately when I run it, I get the following:
*ipa: ERROR: cert validation failed for
"CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
<http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)*
*ipa: ERROR: cert validation failed for
"CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
<http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)*
*Traceback (most recent call last):*
* File "./freeipa.py", line 82, in <module>*
* api = initialize()*
* File "./freeipa.py", line 17, in initialize*
* api.Backend.rpcclient.connect()*
* File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66, in
connect*
* conn = self.create_connection(*args, **kw)*
* File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 939, in
create_connection*
* error=', '.join(urls))*
*ipalib.errors.NetworkError: cannot connect to 'any of the configured
servers': https://id1.prod <https://id1.prod>.**xxxxxxxx**.com/ipa/json,
https://id2.prod <https://id2.prod>.**xxxxxxxx**.com/ipa/json*
If I curl the URL, it works just fine ( I imported the CA Certificate in
the system directory /etc/ssl/certs).
I have run `openssl s_client` connect and downloaded the remote certificate
locally, then I run:
# openssl verify cert.pem
# *id1.prod.**xxxxxxxx**.com.pem*: OK
Would you help me figure out what's going on?
--
Alessandro De Maria
alessandro.demaria at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161104/179db943/attachment.htm>
More information about the Freeipa-users
mailing list