Thank you very much for everything.
I tried curl and curl on https:// works, a get html response with whole
body
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>IPA: Identity Policy Audit</title>
<script type="text/javascript"
src="../ui/js/libs/loader.js"></script>
<script type="text/javascript">
var dojoConfig = {
baseUrl: "../ui/js",
has: {
'dojo-firebug': false,
'dojo-debug-messages': true
},
parseOnLoad: false,
async: true,
packages: [ …………
…..
<div class="container-fluid">
<div class="row">
<div class="col-sm-12">
<div id="unauthorized-msg">
<noscript>
<h1>Unable to verify your Kerberos credentials</h1>
<p>
Please make sure that you have valid Kerberos tickets
(obtainable via <strong>kinit</strong>), and that you have configured your
browser correctly.
</p>
<h2>Browser configuration</h2>
<div id="first-time">
<p>
If this is your first time, please <a
href="ssbrowser.html">configure your browser</a>. …………..
……………
I don’t have idea. Looks like I will update all this VPS to Ubuntu 18.04
because there everything works.
On May 20, 2019 at 4:23:56 PM, Rob Crittenden (rcritten(a)redhat.com) wrote:
Petar Kozić wrote:
I just try that:
cp ca.crt /usr/local/share/ca-certificates/
update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
updates of cacerts keystore disabled.
done.
Looks like update something, but again same error. In above command I
copied ca.crt from IPA if you think on that.
Thank you on your time.
That's about the extent of my Ubuntu knowledge.
It's hard to parse the output. Was that one file added or one
certificate added? LE definitely has a chain.
You should be able to independently confirm that the trust is ok using
something like curl:
$ curl
https://ipa.example.com/ipa
If the connection fails then the right LE roots are not available on the
system.
rob
On May 20, 2019 at 4:03:32 PM, Rob Crittenden (rcritten(a)redhat.com
<mailto:rcritten@redhat.com>) wrote:
> Petar Kozić via FreeIPA-users wrote:
> > @Rob, sorry for duplicate mail, I forget to do reply to all
> >
> >
> > No, there is X1 and X3. I have whole chain in ca.crt
> >
> > Where you think that I can install this let’s encrypt root on client
> > side, because on server I already have it in chain?
> >
> > On IPA I installed on this way.
> >
https://blog.soholabs.org/lets-encrypt-and-the-freeipa-web-gui/
>
> The older ipa-client-install don't handle cert chains well. You can try
> to add the roots to the global trust before running the installer via:
>
> $ sudo cp ca.crt /usr/local/share/ca-certificates/
> $ sudo update-ca-certificates
>
> rob
>
> >
> > On May 20, 2019 at 3:28:50 PM, Rob Crittenden (rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>) wrote:
> >
> >> Petar Kozić via FreeIPA-users wrote:
> >> > Here is the log files. I just want to inform you that I have that
> >> > problem now also on Ubuntu 14.40 and Debian 8.
> >> > On Ubuntu ipa client version is 3.3, maybe problem is there.
> >> >
> >> > In mean time I enrolled several more Ubuntu 18.04 instances without
> >> > problem.
> >> >
> >> > On this Debian 8 and Ubuntu 14.40 I just try with options
—ca-cert-file
> >> > which I copied from master but same error.
> >> >
> >>
> >> I have no visibility into what CA file you used but you're missing
> >> either the X3 subca or the X1 root.
> >>
> >> You can get them from
https://letsencrypt.org/certificates/
> >>
> >> Look at the ca.crt you used and see how many certificates are in
there.
> >> I'm assuming there is only one. You can try
concatenating the X1 and
X3
> >> certs into that and things should work.
> >>
> >> rob
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> >
>