[Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

Alessandro De Maria alessandro.demaria at gmail.com
Mon Nov 7 15:45:34 UTC 2016 

Hi Martin,

I tried from the host I am executing the script from, and I get:
certutil -L -d /etc/httpd/alias/
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
database is in an old, unsupported format.


>From the FreeIPA server, as I said previously, I get:

certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust
Attributes

 SSL,S/MIME,JAR/XPI

Signing-Cert                                                 u,u,u
ipaCert                                                      u,u,u
Server-Cert                                                  u,u,u
PROD.XXXXXXXXXXXXX.COM <http://prod.xxxxxxxxxxxxx.com/> IPA CA
                   CT,C,C


>From the FreeIPA server, I seem to be able to run the script, so we are
definitely on the right track.
How do I get the /etc/httpd/alias/ in sync across these hosts? can I copy
it, or is there a way to regenerate it?

Regards
Alessandro

On 7 November 2016 at 15:36, Alessandro De Maria <
alessandro.demaria at gmail.com> wrote:

> Hi Martin, this is the output from the id1 host:
>
> certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname                                         Trust
> Attributes
>
>  SSL,S/MIME,JAR/XPI
>
> Signing-Cert                                                 u,u,u
> ipaCert                                                      u,u,u
> Server-Cert                                                  u,u,u
> PROD.XXXXXXXXXXXXX.COM IPA CA                                CT,C,C
>
>
> looks just like you suggested. Any other suggestion?
>
> On 7 November 2016 at 10:56, Martin Babinsky <mbabinsk at redhat.com> wrote:
>
>> On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
>>
>>> Hello,
>>>
>>> I have a FreeIPA installation that is working very nicely, we already
>>> have configured many hosts and so far we are quite happy with it.
>>>
>>> I was trying to connect Ansible to fetch hosts from FreeIPA using the
>>> freeipa.py script
>>> (https://github.com/ansible/ansible/blob/devel/contrib/inven
>>> tory/freeipa.py)
>>>
>>> Unfortunately when I run it, I get the following:
>>>
>>> *ipa: ERROR: cert validation failed for
>>> "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
>>> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
>>> certificate issuer has been marked as not trusted by the user.)*
>>> *ipa: ERROR: cert validation failed for
>>> "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
>>> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
>>> certificate issuer has been marked as not trusted by the user.)*
>>> *Traceback (most recent call last):*
>>> *  File "./freeipa.py", line 82, in <module>*
>>> *    api = initialize()*
>>> *  File "./freeipa.py", line 17, in initialize*
>>> *    api.Backend.rpcclient.connect()*
>>> *  File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66,
>>> in connect*
>>> *    conn = self.create_connection(*args, **kw)*
>>> *  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 939, in
>>> create_connection*
>>> *    error=', '.join(urls))*
>>> *ipalib.errors.NetworkError: cannot connect to 'any of the configured
>>> servers': https://id1.prod.**xxxxxxxx**.com/ipa/json,
>>> https://id2.prod.**xxxxxxxx**.com/ipa/json*
>>>
>>>
>>> If I curl the URL, it works just fine ( I imported the CA Certificate in
>>> the system directory /etc/ssl/certs).
>>>
>>> I have run `openssl s_client` connect and downloaded the remote
>>> certificate locally, then I run:
>>>
>>> # openssl verify cert.pem
>>> # *id1.prod.**xxxxxxxx**.com.pem*: OK
>>>
>>>
>>> Would you help me figure out what's going on?
>>>
>>>
>>>
>>> --
>>> Alessandro De Maria
>>> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
>>>
>>>
>>>
>> Hi Alessandro,
>>
>> this error can mean that the CA certificate in IPA NSS database has wrong
>> trust flags set. Please make sure that there is IPA CA certificate present
>> on /etc/httpd/alias and it has trust flags CT,C,C like this:
>>
>> # certutil -L -d /etc/httpd/alias/
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> ipaCert                                                      u,u,u
>> Server-Cert                                                  u,u,u
>> <$REALM> IPA CA                                              CT,C,C
>>
>> --
>> Martin^3 Babinsky
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
> --
> Alessandro De Maria
> alessandro.demaria at gmail.com
>



-- 
Alessandro De Maria
alessandro.demaria at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161107/f41b0a4c/attachment.htm>

More information about the Freeipa-users mailing list