[Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

Martin Babinsky mbabinsk at redhat.com
Mon Nov 7 10:56:52 UTC 2016 

On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
> Hello,
>
> I have a FreeIPA installation that is working very nicely, we already
> have configured many hosts and so far we are quite happy with it.
>
> I was trying to connect Ansible to fetch hosts from FreeIPA using the
> freeipa.py script
> (https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py)
>
> Unfortunately when I run it, I get the following:
>
> *ipa: ERROR: cert validation failed for
> "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.)*
> *ipa: ERROR: cert validation failed for
> "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.)*
> *Traceback (most recent call last):*
> *  File "./freeipa.py", line 82, in <module>*
> *    api = initialize()*
> *  File "./freeipa.py", line 17, in initialize*
> *    api.Backend.rpcclient.connect()*
> *  File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66,
> in connect*
> *    conn = self.create_connection(*args, **kw)*
> *  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 939, in
> create_connection*
> *    error=', '.join(urls))*
> *ipalib.errors.NetworkError: cannot connect to 'any of the configured
> servers': https://id1.prod.**xxxxxxxx**.com/ipa/json,
> https://id2.prod.**xxxxxxxx**.com/ipa/json*
>
>
> If I curl the URL, it works just fine ( I imported the CA Certificate in
> the system directory /etc/ssl/certs).
>
> I have run `openssl s_client` connect and downloaded the remote
> certificate locally, then I run:
>
> # openssl verify cert.pem
> # *id1.prod.**xxxxxxxx**.com.pem*: OK
>
>
> Would you help me figure out what's going on?
>
>
>
> --
> Alessandro De Maria
> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
>
>

Hi Alessandro,

this error can mean that the CA certificate in IPA NSS database has 
wrong trust flags set. Please make sure that there is IPA CA certificate 
present on /etc/httpd/alias and it has trust flags CT,C,C like this:

# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust 
Attributes
 
SSL,S/MIME,JAR/XPI

ipaCert                                                      u,u,u
Server-Cert                                                  u,u,u
<$REALM> IPA CA                                              CT,C,C

-- 
Martin^3 Babinsky

More information about the Freeipa-users mailing list