[Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

Alessandro De Maria alessandro.demaria at gmail.com
Tue Nov 8 09:13:10 UTC 2016 

Hello Martin,

still no luck unfortunately.

The client is an ubuntu 14.04 server, and I believe it is enrolled already.

The /etc/ipa/ca.pem is correct and already installed, and I even added it
to the /etc/ssl/certs directory (which is why my curl command in the first
email does not complain)

Commands like *kinit* work just fine, and I have never experienced a
problem which would make me doubt of the enrollment of this client.


I run the following commands:
# mkdir /etc/ipa/nssdb
# certutil -A -d /etc/ipa/nssdb -n 'PROD.XXXXXXXXX.COM IPA CA' -t CT,C,C -a
< /etc/ipa/ca.crt
# chmod +r /etc/ipa/nssdb/*
# certutil -L -d /etc/ipa/nssdb

Certificate Nickname                                         Trust
Attributes

 SSL,S/MIME,JAR/XPI

PROD.XXXXXXXX.COM IPA CA                                     CT,C,C

But I am still unable to run the script.
Is there anything else I need to do? Do I need to restart some components?
Any log I could look into?

Thank you


On 8 November 2016 at 07:56, Martin Babinsky <mbabinsk at redhat.com> wrote:

> On 11/07/2016 04:45 PM, Alessandro De Maria wrote:
>
>> Hi Martin,
>>
>> I tried from the host I am executing the script from, and I get:
>> certutil -L -d /etc/httpd/alias/
>> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
>> certificate/key database is in an old, unsupported format.
>>
>>
>> From the FreeIPA server, as I said previously, I get:
>>
>> certutil -L -d /etc/httpd/alias/
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>> Signing-Cert                                                 u,u,u
>> ipaCert                                                      u,u,u
>> Server-Cert                                                  u,u,u
>> PROD.XXXXXXXXXXXXX.COM <http://prod.xxxxxxxxxxxxx.com/> IPA CA
>>                      CT,C,C
>>
>>
>> From the FreeIPA server, I seem to be able to run the script, so we are
>> definitely on the right track.
>> How do I get the /etc/httpd/alias/ in sync across these hosts? can I
>> copy it, or is there a way to regenerate it?
>>
>> Regards
>> Alessandro
>>
>> On 7 November 2016 at 15:36, Alessandro De Maria
>> <alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>>
>> wrote:
>>
>>     Hi Martin, this is the output from the id1 host:
>>
>>     certutil -L -d /etc/httpd/alias/
>>
>>     Certificate Nickname                                         Trust
>>     Attributes
>>
>>      SSL,S/MIME,JAR/XPI
>>
>>     Signing-Cert                                                 u,u,u
>>     ipaCert                                                      u,u,u
>>     Server-Cert                                                  u,u,u
>>     PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM> IPA CA
>>                              CT,C,C
>>
>>
>>     looks just like you suggested. Any other suggestion?
>>
>>     On 7 November 2016 at 10:56, Martin Babinsky <mbabinsk at redhat.com
>>     <mailto:mbabinsk at redhat.com>> wrote:
>>
>>         On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
>>
>>             Hello,
>>
>>             I have a FreeIPA installation that is working very nicely,
>>             we already
>>             have configured many hosts and so far we are quite happy
>>             with it.
>>
>>             I was trying to connect Ansible to fetch hosts from FreeIPA
>>             using the
>>             freeipa.py script
>>             (https://github.com/ansible/ansible/blob/devel/contrib/inven
>> tory/freeipa.py
>>             <https://github.com/ansible/ansible/blob/devel/contrib/inven
>> tory/freeipa.py>)
>>
>>
>>             Unfortunately when I run it, I get the following:
>>
>>             *ipa: ERROR: cert validation failed for
>>             "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
>>             <http://PROD.xxxxxxxx.COM>
>>             <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER)
>> Peer's
>>             certificate issuer has been marked as not trusted by the
>> user.)*
>>             *ipa: ERROR: cert validation failed for
>>             "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
>>             <http://PROD.xxxxxxxx.COM>
>>             <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER)
>> Peer's
>>             certificate issuer has been marked as not trusted by the
>> user.)*
>>             *Traceback (most recent call last):*
>>             *  File "./freeipa.py", line 82, in <module>*
>>             *    api = initialize()*
>>             *  File "./freeipa.py", line 17, in initialize*
>>             *    api.Backend.rpcclient.connect()*
>>             *  File
>>             "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line
>> 66,
>>             in connect*
>>             *    conn = self.create_connection(*args, **kw)*
>>             *  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py",
>>             line 939, in
>>             create_connection*
>>             *    error=', '.join(urls))*
>>             *ipalib.errors.NetworkError: cannot connect to 'any of the
>>             configured
>>             servers': https://id1.prod.**xxxxxxxx**.com/ipa/json,
>>             https://id2.prod.**xxxxxxxx**.com/ipa/json*
>>
>>
>>             If I curl the URL, it works just fine ( I imported the CA
>>             Certificate in
>>             the system directory /etc/ssl/certs).
>>
>>             I have run `openssl s_client` connect and downloaded the
>> remote
>>             certificate locally, then I run:
>>
>>             # openssl verify cert.pem
>>             # *id1.prod.**xxxxxxxx**.com.pem*: OK
>>
>>
>>             Would you help me figure out what's going on?
>>
>>
>>
>>             --
>>             Alessandro De Maria
>>             alessandro.demaria at gmail.com
>>             <mailto:alessandro.demaria at gmail.com>
>>             <mailto:alessandro.demaria at gmail.com
>>             <mailto:alessandro.demaria at gmail.com>>
>>
>>
>>
>>         Hi Alessandro,
>>
>>         this error can mean that the CA certificate in IPA NSS database
>>         has wrong trust flags set. Please make sure that there is IPA CA
>>         certificate present on /etc/httpd/alias and it has trust flags
>>         CT,C,C like this:
>>
>>         # certutil -L -d /etc/httpd/alias/
>>
>>         Certificate Nickname
>>          Trust Attributes
>>
>>         SSL,S/MIME,JAR/XPI
>>
>>         ipaCert                                                      u,u,u
>>         Server-Cert                                                  u,u,u
>>         <$REALM> IPA CA
>> CT,C,C
>>
>>         --
>>         Martin^3 Babinsky
>>
>>         --
>>         Manage your subscription for the Freeipa-users mailing list:
>>         https://www.redhat.com/mailman/listinfo/freeipa-users
>>         <https://www.redhat.com/mailman/listinfo/freeipa-users>
>>         Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>>     --
>>     Alessandro De Maria
>>     alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
>>
>>
>>
>>
>> --
>> Alessandro De Maria
>> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
>>
>
> Alessandro,
>
> I have just realized that this may be client-side problem. On the executor
> you may need to import CA certificate from IPA server to local
> /etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file.
>
> Or you can just enroll the node as IPA client and it will set up all this
> stuff for you.
>
> --
> Martin^3 Babinsky
>



-- 
Alessandro De Maria
alessandro.demaria at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161108/07ff6bb0/attachment.htm>

More information about the Freeipa-users mailing list