[Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER
Alessandro De Maria
alessandro.demaria at gmail.com
Tue Nov 8 20:27:17 UTC 2016
Thank you Rob and Martin,
the correct place on Ubuntu seems to be:
/etc/pki/nssdb/
This directory does not seem to be initialised by the *ipa-client-install*
tool.
Now my script still doesn't work, but offer brand new errors :)
Thank you
On 8 November 2016 at 14:55, Rob Crittenden <rcritten at redhat.com> wrote:
> Alessandro De Maria wrote:
> > Hello Martin,
> >
> > still no luck unfortunately.
> >
> > The client is an ubuntu 14.04 server, and I believe it is enrolled
> already.
> >
> > The /etc/ipa/ca.pem is correct and already installed, and I even added
> > it to the /etc/ssl/certs directory (which is why my curl command in the
> > first email does not complain)
>
> The client normally uses /etc/ipa/nssdb for NSS. I'm not sure how this
> is handled on Ubuntu clients but you'll need to confirm that whatever
> Ubuntu uses exists and has the IPA CA certificate installed.
>
> rob
>
> >
> > Commands like /kinit/ work just fine, and I have never experienced a
> > problem which would make me doubt of the enrollment of this client.
> >
> >
> > I run the following commands:
> > # mkdir /etc/ipa/nssdb
> > # certutil -A -d /etc/ipa/nssdb -n 'PROD.XXXXXXXXX.COM
> > <http://PROD.XXXXXXXXX.COM> IPA CA' -t CT,C,C -a < /etc/ipa/ca.crt
> > # chmod +r /etc/ipa/nssdb/*
> > # certutil -L -d /etc/ipa/nssdb
> >
> > Certificate Nickname Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > PROD.XXXXXXXX.COM <http://PROD.XXXXXXXX.COM> IPA CA
> > CT,C,C
> >
> > But I am still unable to run the script.
> > Is there anything else I need to do? Do I need to restart some
> > components? Any log I could look into?
> >
> > Thank you
> >
> >
> > On 8 November 2016 at 07:56, Martin Babinsky <mbabinsk at redhat.com
> > <mailto:mbabinsk at redhat.com>> wrote:
> >
> > On 11/07/2016 04:45 PM, Alessandro De Maria wrote:
> >
> > Hi Martin,
> >
> > I tried from the host I am executing the script from, and I get:
> > certutil -L -d /etc/httpd/alias/
> > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> > certificate/key database is in an old, unsupported format.
> >
> >
> > >From the FreeIPA server, as I said previously, I get:
> >
> > certutil -L -d /etc/httpd/alias/
> >
> > Certificate Nickname
> Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > Signing-Cert
> u,u,u
> > ipaCert
> u,u,u
> > Server-Cert
> u,u,u
> > PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM>
> > <http://prod.xxxxxxxxxxxxx.com/
> > <http://prod.xxxxxxxxxxxxx.com/>> IPA CA
> > CT,C,C
> >
> >
> > >From the FreeIPA server, I seem to be able to run the script,
> so we are
> > definitely on the right track.
> > How do I get the /etc/httpd/alias/ in sync across these hosts?
> can I
> > copy it, or is there a way to regenerate it?
> >
> > Regards
> > Alessandro
> >
> > On 7 November 2016 at 15:36, Alessandro De Maria
> > <alessandro.demaria at gmail.com
> > <mailto:alessandro.demaria at gmail.com>
> > <mailto:alessandro.demaria at gmail.com
> > <mailto:alessandro.demaria at gmail.com>>> wrote:
> >
> > Hi Martin, this is the output from the id1 host:
> >
> > certutil -L -d /etc/httpd/alias/
> >
> > Certificate Nickname
> > Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > Signing-Cert
> > u,u,u
> > ipaCert
> > u,u,u
> > Server-Cert
> > u,u,u
> > PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM>
> > <http://PROD.XXXXXXXXXXXXX.COM> IPA CA
> > CT,C,C
> >
> >
> > looks just like you suggested. Any other suggestion?
> >
> > On 7 November 2016 at 10:56, Martin Babinsky
> > <mbabinsk at redhat.com <mailto:mbabinsk at redhat.com>
> > <mailto:mbabinsk at redhat.com <mailto:mbabinsk at redhat.com>>>
> > wrote:
> >
> > On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
> >
> > Hello,
> >
> > I have a FreeIPA installation that is working very
> > nicely,
> > we already
> > have configured many hosts and so far we are quite
> happy
> > with it.
> >
> > I was trying to connect Ansible to fetch hosts from
> > FreeIPA
> > using the
> > freeipa.py script
> >
> > (https://github.com/ansible/ansible/blob/devel/contrib/
> inventory/freeipa.py
> > <https://github.com/ansible/ansible/blob/devel/contrib/
> inventory/freeipa.py>
> >
> > <https://github.com/ansible/ansible/blob/devel/contrib/
> inventory/freeipa.py
> > <https://github.com/ansible/ansible/blob/devel/contrib/
> inventory/freeipa.py>>)
> >
> >
> > Unfortunately when I run it, I get the following:
> >
> > *ipa: ERROR: cert validation failed for
> > "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
> > <http://PROD.xxxxxxxx.COM>
> > <http://PROD.xxxxxxxx.COM>
> > <http://PROD.xxxxxxxx.COM>"
> > ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> > certificate issuer has been marked as not trusted by
> > the user.)*
> > *ipa: ERROR: cert validation failed for
> > "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
> > <http://PROD.xxxxxxxx.COM>
> > <http://PROD.xxxxxxxx.COM>
> > <http://PROD.xxxxxxxx.COM>"
> > ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> > certificate issuer has been marked as not trusted by
> > the user.)*
> > *Traceback (most recent call last):*
> > * File "./freeipa.py", line 82, in <module>*
> > * api = initialize()*
> > * File "./freeipa.py", line 17, in initialize*
> > * api.Backend.rpcclient.connect()*
> > * File
> >
> > "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66,
> > in connect*
> > * conn = self.create_connection(*args, **kw)*
> > * File
> > "/usr/lib/python2.7/dist-packages/ipalib/rpc.py",
> > line 939, in
> > create_connection*
> > * error=', '.join(urls))*
> > *ipalib.errors.NetworkError: cannot connect to 'any
> > of the
> > configured
> > servers': https://id1.prod.**xxxxxxxx**.
> com/ipa/json,
> > https://id2.prod.**xxxxxxxx**.com/ipa/json*
> >
> >
> > If I curl the URL, it works just fine ( I imported
> > the CA
> > Certificate in
> > the system directory /etc/ssl/certs).
> >
> > I have run `openssl s_client` connect and downloaded
> > the remote
> > certificate locally, then I run:
> >
> > # openssl verify cert.pem
> > # *id1.prod.**xxxxxxxx**.com.pem*: OK
> >
> >
> > Would you help me figure out what's going on?
> >
> >
> >
> > --
> > Alessandro De Maria
> > alessandro.demaria at gmail.com
> > <mailto:alessandro.demaria at gmail.com>
> > <mailto:alessandro.demaria at gmail.com
> > <mailto:alessandro.demaria at gmail.com>>
> > <mailto:alessandro.demaria at gmail.com
> > <mailto:alessandro.demaria at gmail.com>
> > <mailto:alessandro.demaria at gmail.com
> > <mailto:alessandro.demaria at gmail.com>>>
> >
> >
> >
> > Hi Alessandro,
> >
> > this error can mean that the CA certificate in IPA NSS
> > database
> > has wrong trust flags set. Please make sure that there
> > is IPA CA
> > certificate present on /etc/httpd/alias and it has trust
> > flags
> > CT,C,C like this:
> >
> > # certutil -L -d /etc/httpd/alias/
> >
> > Certificate Nickname
> > Trust Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > ipaCert
> > u,u,u
> > Server-Cert
> > u,u,u
> > <$REALM> IPA CA
> > CT,C,C
> >
> > --
> > Martin^3 Babinsky
> >
> > --
> > Manage your subscription for the Freeipa-users mailing
> list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > <https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>>
> > Go to http://freeipa.org for more info on the project
> >
> >
> >
> >
> > --
> > Alessandro De Maria
> > alessandro.demaria at gmail.com
> > <mailto:alessandro.demaria at gmail.com>
> > <mailto:alessandro.demaria at gmail.com
> > <mailto:alessandro.demaria at gmail.com>>
> >
> >
> >
> >
> > --
> > Alessandro De Maria
> > alessandro.demaria at gmail.com
> > <mailto:alessandro.demaria at gmail.com>
> > <mailto:alessandro.demaria at gmail.com
> > <mailto:alessandro.demaria at gmail.com>>
> >
> >
> > Alessandro,
> >
> > I have just realized that this may be client-side problem. On the
> > executor you may need to import CA certificate from IPA server to
> > local /etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file.
> >
> > Or you can just enroll the node as IPA client and it will set up all
> > this stuff for you.
> >
> > --
> > Martin^3 Babinsky
> >
> >
> >
> >
> > --
> > Alessandro De Maria
> > alessandro.demaria at gmail.com <mailto:alessandro.demaria at gmail.com>
> >
> >
>
>
--
Alessandro De Maria
alessandro.demaria at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161108/3112c69f/attachment.htm>
More information about the Freeipa-users
mailing list