[Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER
Alessandro De Maria
alessandro.demaria at gmail.com
Tue Nov 8 09:13:10 UTC 2016
Hello Martin,
still no luck unfortunately.
The client is an ubuntu 14.04 server, and I believe it is enrolled already.
The /etc/ipa/ca.pem is correct and already installed, and I even added it
to the /etc/ssl/certs directory (which is why my curl command in the first
email does not complain)
Commands like *kinit* work just fine, and I have never experienced a
problem which would make me doubt of the enrollment of this client.
I run the following commands:
# mkdir /etc/ipa/nssdb
# certutil -A -d /etc/ipa/nssdb -n 'PROD.XXXXXXXXX.COM IPA CA' -t CT,C,C -a
< /etc/ipa/ca.crt
# chmod +r /etc/ipa/nssdb/*
# certutil -L -d /etc/ipa/nssdb
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
PROD.XXXXXXXX.COM IPA CA CT,C,C
But I am still unable to run the script.
Is there anything else I need to do? Do I need to restart some components?
Any log I could look into?
Thank you
On 8 November 2016 at 07:56, Martin Babinsky <mbabinsk at redhat.com> wrote:
> On 11/07/2016 04:45 PM, Alessandro De Maria wrote:
>
>> Hi Martin,
>>
>> I tried from the host I am executing the script from, and I get:
>> certutil -L -d /etc/httpd/alias/
>> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
>> certificate/key database is in an old, unsupported format.
>>
>>
>> From the FreeIPA server, as I said previously, I get:
>>
>> certutil -L -d /etc/httpd/alias/
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> Signing-Cert u,u,u
>> ipaCert u,u,u
>> Server-Cert u,u,u
>> PROD.XXXXXXXXXXXXX.COM <http://prod.xxxxxxxxxxxxx.com/> IPA CA
>> CT,C,C
>>
>>
>> From the FreeIPA server, I seem to be able to run the script, so we are
>> definitely on the right track.
>> How do I get the /etc/httpd/alias/ in sync across these hosts? can I
>> copy it, or is there a way to regenerate it?
>>
>> Regards
>> Alessandro
>>
>> On 7 November 2016 at 15:36, Alessandro De Maria
>> <alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>>
>> wrote:
>>
>> Hi Martin, this is the output from the id1 host:
>>
>> certutil -L -d /etc/httpd/alias/
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> Signing-Cert u,u,u
>> ipaCert u,u,u
>> Server-Cert u,u,u
>> PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM> IPA CA
>> CT,C,C
>>
>>
>> looks just like you suggested. Any other suggestion?
>>
>> On 7 November 2016 at 10:56, Martin Babinsky <mbabinsk at redhat.com
>> <mailto:mbabinsk at redhat.com>> wrote:
>>
>> On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
>>
>> Hello,
>>
>> I have a FreeIPA installation that is working very nicely,
>> we already
>> have configured many hosts and so far we are quite happy
>> with it.
>>
>> I was trying to connect Ansible to fetch hosts from FreeIPA
>> using the
>> freeipa.py script
>> (https://github.com/ansible/ansible/blob/devel/contrib/inven
>> tory/freeipa.py
>> <https://github.com/ansible/ansible/blob/devel/contrib/inven
>> tory/freeipa.py>)
>>
>>
>> Unfortunately when I run it, I get the following:
>>
>> *ipa: ERROR: cert validation failed for
>> "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
>> <http://PROD.xxxxxxxx.COM>
>> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER)
>> Peer's
>> certificate issuer has been marked as not trusted by the
>> user.)*
>> *ipa: ERROR: cert validation failed for
>> "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
>> <http://PROD.xxxxxxxx.COM>
>> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER)
>> Peer's
>> certificate issuer has been marked as not trusted by the
>> user.)*
>> *Traceback (most recent call last):*
>> * File "./freeipa.py", line 82, in <module>*
>> * api = initialize()*
>> * File "./freeipa.py", line 17, in initialize*
>> * api.Backend.rpcclient.connect()*
>> * File
>> "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line
>> 66,
>> in connect*
>> * conn = self.create_connection(*args, **kw)*
>> * File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py",
>> line 939, in
>> create_connection*
>> * error=', '.join(urls))*
>> *ipalib.errors.NetworkError: cannot connect to 'any of the
>> configured
>> servers': https://id1.prod.**xxxxxxxx**.com/ipa/json,
>> https://id2.prod.**xxxxxxxx**.com/ipa/json*
>>
>>
>> If I curl the URL, it works just fine ( I imported the CA
>> Certificate in
>> the system directory /etc/ssl/certs).
>>
>> I have run `openssl s_client` connect and downloaded the
>> remote
>> certificate locally, then I run:
>>
>> # openssl verify cert.pem
>> # *id1.prod.**xxxxxxxx**.com.pem*: OK
>>
>>
>> Would you help me figure out what's going on?
>>
>>
>>
>> --
>> Alessandro De Maria
>> alessandro.demaria at gmail.com
>> <mailto:alessandro.demaria at gmail.com>
>> <mailto:alessandro.demaria at gmail.com
>> <mailto:alessandro.demaria at gmail.com>>
>>
>>
>>
>> Hi Alessandro,
>>
>> this error can mean that the CA certificate in IPA NSS database
>> has wrong trust flags set. Please make sure that there is IPA CA
>> certificate present on /etc/httpd/alias and it has trust flags
>> CT,C,C like this:
>>
>> # certutil -L -d /etc/httpd/alias/
>>
>> Certificate Nickname
>> Trust Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> ipaCert u,u,u
>> Server-Cert u,u,u
>> <$REALM> IPA CA
>> CT,C,C
>>
>> --
>> Martin^3 Babinsky
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>> --
>> Alessandro De Maria
>> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
>>
>>
>>
>>
>> --
>> Alessandro De Maria
>> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
>>
>
> Alessandro,
>
> I have just realized that this may be client-side problem. On the executor
> you may need to import CA certificate from IPA server to local
> /etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file.
>
> Or you can just enroll the node as IPA client and it will set up all this
> stuff for you.
>
> --
> Martin^3 Babinsky
>
--
Alessandro De Maria
alessandro.demaria at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161108/07ff6bb0/attachment.htm>
More information about the Freeipa-users
mailing list