[Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER
Rob Crittenden
rcritten at redhat.com
Tue Nov 8 14:55:48 UTC 2016
Alessandro De Maria wrote:
> Hello Martin,
>
> still no luck unfortunately.
>
> The client is an ubuntu 14.04 server, and I believe it is enrolled already.
>
> The /etc/ipa/ca.pem is correct and already installed, and I even added
> it to the /etc/ssl/certs directory (which is why my curl command in the
> first email does not complain)
The client normally uses /etc/ipa/nssdb for NSS. I'm not sure how this
is handled on Ubuntu clients but you'll need to confirm that whatever
Ubuntu uses exists and has the IPA CA certificate installed.
rob
>
> Commands like /kinit/ work just fine, and I have never experienced a
> problem which would make me doubt of the enrollment of this client.
>
>
> I run the following commands:
> # mkdir /etc/ipa/nssdb
> # certutil -A -d /etc/ipa/nssdb -n 'PROD.XXXXXXXXX.COM
> <http://PROD.XXXXXXXXX.COM> IPA CA' -t CT,C,C -a < /etc/ipa/ca.crt
> # chmod +r /etc/ipa/nssdb/*
> # certutil -L -d /etc/ipa/nssdb
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> PROD.XXXXXXXX.COM <http://PROD.XXXXXXXX.COM> IPA CA
> CT,C,C
>
> But I am still unable to run the script.
> Is there anything else I need to do? Do I need to restart some
> components? Any log I could look into?
>
> Thank you
>
>
> On 8 November 2016 at 07:56, Martin Babinsky <mbabinsk at redhat.com
> <mailto:mbabinsk at redhat.com>> wrote:
>
> On 11/07/2016 04:45 PM, Alessandro De Maria wrote:
>
> Hi Martin,
>
> I tried from the host I am executing the script from, and I get:
> certutil -L -d /etc/httpd/alias/
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> certificate/key database is in an old, unsupported format.
>
>
> >From the FreeIPA server, as I said previously, I get:
>
> certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Signing-Cert u,u,u
> ipaCert u,u,u
> Server-Cert u,u,u
> PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM>
> <http://prod.xxxxxxxxxxxxx.com/
> <http://prod.xxxxxxxxxxxxx.com/>> IPA CA
> CT,C,C
>
>
> >From the FreeIPA server, I seem to be able to run the script, so we are
> definitely on the right track.
> How do I get the /etc/httpd/alias/ in sync across these hosts? can I
> copy it, or is there a way to regenerate it?
>
> Regards
> Alessandro
>
> On 7 November 2016 at 15:36, Alessandro De Maria
> <alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>
> <mailto:alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>>> wrote:
>
> Hi Martin, this is the output from the id1 host:
>
> certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname
> Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Signing-Cert
> u,u,u
> ipaCert
> u,u,u
> Server-Cert
> u,u,u
> PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM>
> <http://PROD.XXXXXXXXXXXXX.COM> IPA CA
> CT,C,C
>
>
> looks just like you suggested. Any other suggestion?
>
> On 7 November 2016 at 10:56, Martin Babinsky
> <mbabinsk at redhat.com <mailto:mbabinsk at redhat.com>
> <mailto:mbabinsk at redhat.com <mailto:mbabinsk at redhat.com>>>
> wrote:
>
> On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
>
> Hello,
>
> I have a FreeIPA installation that is working very
> nicely,
> we already
> have configured many hosts and so far we are quite happy
> with it.
>
> I was trying to connect Ansible to fetch hosts from
> FreeIPA
> using the
> freeipa.py script
>
> (https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py
> <https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py>
>
> <https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py
> <https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py>>)
>
>
> Unfortunately when I run it, I get the following:
>
> *ipa: ERROR: cert validation failed for
> "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
> <http://PROD.xxxxxxxx.COM>
> <http://PROD.xxxxxxxx.COM>
> <http://PROD.xxxxxxxx.COM>"
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by
> the user.)*
> *ipa: ERROR: cert validation failed for
> "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
> <http://PROD.xxxxxxxx.COM>
> <http://PROD.xxxxxxxx.COM>
> <http://PROD.xxxxxxxx.COM>"
> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by
> the user.)*
> *Traceback (most recent call last):*
> * File "./freeipa.py", line 82, in <module>*
> * api = initialize()*
> * File "./freeipa.py", line 17, in initialize*
> * api.Backend.rpcclient.connect()*
> * File
>
> "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66,
> in connect*
> * conn = self.create_connection(*args, **kw)*
> * File
> "/usr/lib/python2.7/dist-packages/ipalib/rpc.py",
> line 939, in
> create_connection*
> * error=', '.join(urls))*
> *ipalib.errors.NetworkError: cannot connect to 'any
> of the
> configured
> servers': https://id1.prod.**xxxxxxxx**.com/ipa/json,
> https://id2.prod.**xxxxxxxx**.com/ipa/json*
>
>
> If I curl the URL, it works just fine ( I imported
> the CA
> Certificate in
> the system directory /etc/ssl/certs).
>
> I have run `openssl s_client` connect and downloaded
> the remote
> certificate locally, then I run:
>
> # openssl verify cert.pem
> # *id1.prod.**xxxxxxxx**.com.pem*: OK
>
>
> Would you help me figure out what's going on?
>
>
>
> --
> Alessandro De Maria
> alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>
> <mailto:alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>>
> <mailto:alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>
> <mailto:alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>>>
>
>
>
> Hi Alessandro,
>
> this error can mean that the CA certificate in IPA NSS
> database
> has wrong trust flags set. Please make sure that there
> is IPA CA
> certificate present on /etc/httpd/alias and it has trust
> flags
> CT,C,C like this:
>
> # certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname
> Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> ipaCert
> u,u,u
> Server-Cert
> u,u,u
> <$REALM> IPA CA
> CT,C,C
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
> <https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>>
> Go to http://freeipa.org for more info on the project
>
>
>
>
> --
> Alessandro De Maria
> alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>
> <mailto:alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>>
>
>
>
>
> --
> Alessandro De Maria
> alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>
> <mailto:alessandro.demaria at gmail.com
> <mailto:alessandro.demaria at gmail.com>>
>
>
> Alessandro,
>
> I have just realized that this may be client-side problem. On the
> executor you may need to import CA certificate from IPA server to
> local /etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file.
>
> Or you can just enroll the node as IPA client and it will set up all
> this stuff for you.
>
> --
> Martin^3 Babinsky
>
>
>
>
> --
> Alessandro De Maria
> alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
>
>
More information about the Freeipa-users
mailing list