[Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER
Martin Babinsky
mbabinsk at redhat.com
Tue Nov 8 07:56:41 UTC 2016
On 11/07/2016 04:45 PM, Alessandro De Maria wrote:
> Hi Martin,
>
> I tried from the host I am executing the script from, and I get:
> certutil -L -d /etc/httpd/alias/
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> certificate/key database is in an old, unsupported format.
>
>
> From the FreeIPA server, as I said previously, I get:
>
> certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Signing-Cert u,u,u
> ipaCert u,u,u
> Server-Cert u,u,u
> PROD.XXXXXXXXXXXXX.COM <http://prod.xxxxxxxxxxxxx.com/> IPA CA
> CT,C,C
>
>
> From the FreeIPA server, I seem to be able to run the script, so we are
> definitely on the right track.
> How do I get the /etc/httpd/alias/ in sync across these hosts? can I
> copy it, or is there a way to regenerate it?
>
> Regards
> Alessandro
>
> On 7 November 2016 at 15:36, Alessandro De Maria
> <alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>> wrote:
>
> Hi Martin, this is the output from the id1 host:
>
> certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Signing-Cert u,u,u
> ipaCert u,u,u
> Server-Cert u,u,u
> PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM> IPA CA
> CT,C,C
>
>
> looks just like you suggested. Any other suggestion?
>
> On 7 November 2016 at 10:56, Martin Babinsky <mbabinsk at redhat.com
> <mailto:mbabinsk at redhat.com>> wrote:
>
> On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
>
> Hello,
>
> I have a FreeIPA installation that is working very nicely,
> we already
> have configured many hosts and so far we are quite happy
> with it.
>
> I was trying to connect Ansible to fetch hosts from FreeIPA
> using the
> freeipa.py script
> (https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py
> <https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py>)
>
> Unfortunately when I run it, I get the following:
>
> *ipa: ERROR: cert validation failed for
> "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
> <http://PROD.xxxxxxxx.COM>
> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.)*
> *ipa: ERROR: cert validation failed for
> "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
> <http://PROD.xxxxxxxx.COM>
> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.)*
> *Traceback (most recent call last):*
> * File "./freeipa.py", line 82, in <module>*
> * api = initialize()*
> * File "./freeipa.py", line 17, in initialize*
> * api.Backend.rpcclient.connect()*
> * File
> "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66,
> in connect*
> * conn = self.create_connection(*args, **kw)*
> * File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py",
> line 939, in
> create_connection*
> * error=', '.join(urls))*
> *ipalib.errors.NetworkError: cannot connect to 'any of the
> configured
> servers': https://id1.prod.**xxxxxxxx**.com/ipa/json,
> https://id2.prod.**xxxxxxxx**.com/ipa/json*
>
>
> If I curl the URL, it works just fine ( I imported the CA
> Certificate in
> the system directory /etc/ssl/certs).
>
> I have run `openssl s_client` connect and downloaded the remote
> certificate locally, then I run:
>
> # openssl verify cert.pem
> # *id1.prod.**xxxxxxxx**.com.pem*: OK
>
>
> Would you help me figure out what's going on?
>
>
>
> --
> Alessandro De Maria
> alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>
> <mailto:alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>>
>
>
>
> Hi Alessandro,
>
> this error can mean that the CA certificate in IPA NSS database
> has wrong trust flags set. Please make sure that there is IPA CA
> certificate present on /etc/httpd/alias and it has trust flags
> CT,C,C like this:
>
> # certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname
> Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> ipaCert u,u,u
> Server-Cert u,u,u
> <$REALM> IPA CA CT,C,C
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
> Go to http://freeipa.org for more info on the project
>
>
>
>
> --
> Alessandro De Maria
> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
>
>
>
>
> --
> Alessandro De Maria
> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
Alessandro,
I have just realized that this may be client-side problem. On the
executor you may need to import CA certificate from IPA server to local
/etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file.
Or you can just enroll the node as IPA client and it will set up all
this stuff for you.
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list