Hello Florence,

I have checked the output for the ldapsearch command and I can see the IPA CA as well as the third party CA on my /etc/ipa/ca.crt file on my IPA Server.

Even I tried installing the client by giving the option ca-cert-file="" with my ca.crt file in IPA Server copied  locally to my IPA Client in one path. However, it was still giving the certificate as untrusted. Is there any issue in enrolling IPA Client Version 3.3 with IPA Server version 4.4 with third part Certificate installed? If I use self-sgined CA of IPA Server alone, the enrolment is carried on successfully.

Awaiting your reply.

Thanks and Regards,
Alka Murali

On Fri, Jul 28, 2017 at 10:17 PM, Florence Blanc-Renaud <flo@redhat.com> wrote:
On 07/28/2017 03:51 AM, Alka Murali via FreeIPA-users wrote:
I Cannot enrol and do the ipa-client-install on Ubuntu 14.04 to IPA Server (4.4). My IPA Server is having third party certificates for HTTP/LDAP. I have installed it using the suggestions in

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

Other version of Ubuntu like 16.04 is enrolled fine.

Here is the error message that I get during the installation

----
cert validation failed for "CN=*.*.*,O=*.*,((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
 Cannot connect to the server due to generic error: cannot connect to 'https://*.*.*.*/ipa/xml <https://%2A.%2A.%2A.%2A/ipa/xml>': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.
Installation failed. Rolling back changes.
certmonger failed to start: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
SSSD service could not be stopped
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
-----

Is it due to my third part cert? If so, please provide a suggestion so that I can enrol my Ubuntu Client to my IPA Server.

I am attaching the logs for your reference.



 _______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org


Hi,

from the logs we can see that the client retrieved IPA CA cert:
2017-07-27T07:28:25Z INFO Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=*.*.*
    Issuer:      CN=Certificate Authority,O=*.*.*
    Valid From:  Tue Apr 11 01:18:51 2017 UTC
    Valid Until: Sat Apr 11 01:18:51 2037 UTC
but there is no trace of the 3rd-part CA which should also be displayed here.

If there is a file /etc/ipa/ca.crt left on the client after the unsuccessful installation, can you check if it also contains the 3rd part CA cert (ie the one that you added using ipa-cacert-manage)? If not, you can check on the IPA server with (replace BASEDN with your basedn that can be found in /etc/ipa/default.conf):
$ ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,$BASEDN

The output should contain an entry corresponding to the 3rd-part CA cert. If it is missing, make sure that you run ipa-cacert-manage install and ipa-certupdate to load the 3rd part CA before enrolling the client (ipa-cacert-manage on one of IPA servers, ipa-certupdate on all server/replicas/clients).

HTH,
Flo.