<div dir="ltr">Hi Martin, this is the output from the id1 host:<div><br></div><div><div><font face="monospace, monospace">certutil -L -d /etc/httpd/alias/</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">Certificate Nickname                                         Trust Attributes</font></div><div><font face="monospace, monospace">                                                             SSL,S/MIME,JAR/XPI</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">Signing-Cert                                                 u,u,u</font></div><div><font face="monospace, monospace">ipaCert                                                      u,u,u</font></div><div><font face="monospace, monospace">Server-Cert                                                  u,u,u</font></div><div><font face="monospace, monospace"><a href="http://PROD.XXXXXXXXXXXXX.COM">PROD.XXXXXXXXXXXXX.COM</a> IPA CA                                CT,C,C</font></div></div><div><br></div><div><br></div><div>looks just like you suggested. Any other suggestion?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 7 November 2016 at 10:56, Martin Babinsky <span dir="ltr"><<a href="mailto:mbabinsk@redhat.com" target="_blank">mbabinsk@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 11/04/2016 04:52 PM, Alessandro De Maria wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Hello,<br>
<br>
I have a FreeIPA installation that is working very nicely, we already<br>
have configured many hosts and so far we are quite happy with it.<br>
<br>
I was trying to connect Ansible to fetch hosts from FreeIPA using the<br>
freeipa.py script<br>
(<a href="https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py" rel="noreferrer" target="_blank">https://github.com/ansible/an<wbr>sible/blob/devel/contrib/inven<wbr>tory/freeipa.py</a>)<br>
<br>
Unfortunately when I run it, I get the following:<br>
<br></span>
*ipa: ERROR: cert validation failed for<br>
"CN=id1.prod.**xxxxxxxx**.com,<wbr>O=<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">PROD.xxxxxxxx.COM</a><br>
<<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's<br>
certificate issuer has been marked as not trusted by the user.)*<br>
*ipa: ERROR: cert validation failed for<br>
"CN=id2.prod.**xxxxxxxx**.com,<wbr>O=<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">PROD.xxxxxxxx.COM</a><br>
<<a href="http://PROD.xxxxxxxx.COM" rel="noreferrer" target="_blank">http://PROD.xxxxxxxx.COM</a>>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's<br>
certificate issuer has been marked as not trusted by the user.)*<br>
*Traceback (most recent call last):*<br>
*  File "./freeipa.py", line 82, in <module>*<br>
*    api = initialize()*<br>
*  File "./freeipa.py", line 17, in initialize*<br>
*    api.Backend.rpcclient.connect(<wbr>)*<br>
*  File "/usr/lib/python2.7/dist-packa<wbr>ges/ipalib/backend.py", line 66,<br>
in connect*<br>
*    conn = self.create_connection(*args, **kw)*<br>
*  File "/usr/lib/python2.7/dist-packa<wbr>ges/ipalib/rpc.py", line 939, in<br>
create_connection*<br>
*    error=', '.join(urls))*<br>
*ipalib.errors.NetworkError: cannot connect to 'any of the configured<br>
servers': <a href="https://id1.prod." rel="noreferrer" target="_blank">https://id1.prod.</a>**xxxxxxxx**.<wbr>com/ipa/json,<br>
<a href="https://id2.prod." rel="noreferrer" target="_blank">https://id2.prod.</a>**xxxxxxxx**.<wbr>com/ipa/json*<span class=""><br>
<br>
<br>
If I curl the URL, it works just fine ( I imported the CA Certificate in<br>
the system directory /etc/ssl/certs).<br>
<br>
I have run `openssl s_client` connect and downloaded the remote<br>
certificate locally, then I run:<br>
<br>
# openssl verify cert.pem<br></span>
# *id1.prod.**xxxxxxxx**.com.pem<wbr>*: OK<span class=""><br>
<br>
<br>
Would you help me figure out what's going on?<br>
<br>
<br>
<br>
--<br>
Alessandro De Maria<br>
</span><a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a> <mailto:<a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gma<wbr>il.com</a>><br>
<br>
<br>
</blockquote>
<br>
Hi Alessandro,<br>
<br>
this error can mean that the CA certificate in IPA NSS database has wrong trust flags set. Please make sure that there is IPA CA certificate present on /etc/httpd/alias and it has trust flags CT,C,C like this:<br>
<br>
# certutil -L -d /etc/httpd/alias/<br>
<br>
Certificate Nickname                                         Trust Attributes<br>
<br>
SSL,S/MIME,JAR/XPI<br>
<br>
ipaCert                                                      u,u,u<br>
Server-Cert                                                  u,u,u<br>
<$REALM> IPA CA                                              CT,C,C<span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Martin^3 Babinsky<br>
<br>
-- <br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Alessandro De Maria<br><a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a></div>
</div>