Thanks, this is very helpful. I wonder if the same s_client and curl
commands work from the Ubuntu 22.04 machine or if they'll fail in the
same way.

The cert lacks a DNS SAN for the hostname. I suspect this may be the
issue (using the CN has been deprecated forever but was still allowed in
most libraries). What version of OpenSSL is on 22.04?

rob

Gustavo Berman wrote:
> Here's info obtained from the same client using openssl, you can se that
> subject CN is fine. 
>
> localadmin@fisica75:~$ echo | openssl s_client -showcerts -servername
> ipaserver.fisica.cabib -connect ipaserver.fisica.cabib:443 2>/dev/null |
> openssl x509 -inform pem -noout -text
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 536805412 (0x1fff0024)
>         Signature Algorithm: sha256WithRSAEncryption
>         Issuer: O = FISICA.CABIB, CN = Certificate Authority
>         Validity
>             Not Before: Jul 14 14:25:06 2020 GMT
>             Not After : Jul 15 14:25:06 2022 GMT
>         Subject: O = FISICA.CABIB, CN = ipaserver.fisica.cabib
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     00:f5:93:fb:bc:b8:fe:de:48:e0:e1:e0:64:9e:2a:
>                     a9:89:8f:9d:81:9b:ac:4a:81:79:21:60:23:d2:7b:
>                     fa:52:1f:4c:fd:9d:27:88:c5:26:29:16:0d:36:f6:
>                     4c:8b:5e:98:14:33:84:8b:81:1f:fd:7c:52:d8:a9:
>                     db:c2:69:cd:82:ba:81:9a:e8:a7:91:cb:08:4d:c5:
>                     14:26:c2:c4:23:c3:c3:9e:3a:e0:c7:98:ce:60:93:
>                     fc:45:23:43:f2:f5:e7:a3:1f:5e:9a:09:3d:8f:68:
>                     db:1e:39:61:68:2a:13:86:ad:70:37:ff:ef:12:76:
>                     0c:25:15:84:bf:fe:55:c5:23:bb:fb:18:21:3e:85:
>                     6d:11:f9:02:53:c6:0d:15:14:d1:fc:79:a0:34:db:
>                     ff:f9:d7:e4:e2:4e:a5:2b:e3:58:b6:0a:c2:3e:c4:
>                     a9:61:a9:11:53:d3:3b:7c:06:fe:f7:e6:e3:be:46:
>                     65:90:11:74:9b:79:13:23:27:28:3d:15:b9:e9:79:
>                     3c:3b:00:43:08:58:e9:08:ce:30:85:3d:a0:01:d2:
>                     63:d9:04:21:4e:19:97:9c:3a:c2:76:b4:4c:3a:1d:
>                     fd:2c:51:fb:16:52:31:8c:60:2a:f3:f8:9a:d7:4c:
>                     d8:c9:4b:f3:66:71:ad:e3:68:4c:80:f3:77:3c:9d:
>                     ef:ab
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Authority Key Identifier:
>                 F4:2B:56:59:29:C3:E4:51:54:1A:9C:3F:F8:47:F1:F7:B6:3B:14:32
>             Authority Information Access:
>                 OCSP - URI:http://ipa-ca.fisica.cabib/ca/ocsp
>             X509v3 Key Usage: critical
>                 Digital Signature, Non Repudiation, Key Encipherment,
> Data Encipherment
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, TLS Web Client Authentication
>             X509v3 CRL Distribution Points:
>                 Full Name:
>                   URI:http://ipa-ca.fisica.cabib/ipa/crl/MasterCRL.bin  
>              CRL Issuer:
>                   DirName:O = ipaca, CN = Certificate Authority
>             X509v3 Subject Key Identifier:
>                 3E:8B:95:9F:DA:91:46:4C:2C:32:98:48:07:61:6A:30:6F:C1:B3:2D
>             X509v3 Subject Alternative Name:
>                 othername:
> UPN::HTTP/ipaserver.fisica.cabib@FISICA.CABIB, othername:
> 1.3.6.1.5.2.2::<unsupported>
>     Signature Algorithm: sha256WithRSAEncryption
>     Signature Value:
>         b6:fb:01:20:bf:2e:b8:75:b7:64:8e:bf:fd:37:59:52:56:15:
>         a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37:
>         ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d:
>         bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92:
>         1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f:
>         6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b:
>         e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7:
>         91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49:
>         66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48:
>         c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba:
>         5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f:
>         77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17:
>         68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b:
>         38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03:
>         dd:92:d4:68
> localadmin@fisica75:~$
>
>
> And more info obtained with curl:
>
> localadmin@fisica75:~$ curl --insecure -vvI https://ipaserver.fisica.cabib
> *   Trying 10.reda.cted.ip:443...
> * Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * TLSv1.0 (OUT), TLS header, Certificate Status (22):
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS header, Finished (20):
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS header, Finished (20):
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server did not agree to a protocol
> * Server certificate:
> *  subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib
> *  start date: Jul 14 14:25:06 2020 GMT
> *  expire date: Jul 15 14:25:06 2022 GMT
> *  issuer: O=FISICA.CABIB; CN=Certificate Authority
> *  SSL certificate verify result: self-signed certificate in certificate
> chain (19), continuing anyway.
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
>> HEAD / HTTP/1.1
>> Host: ipaserver.fisica.cabib
>> User-Agent: curl/7.81.0
>> Accept: */*
>>
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 301 Moved Permanently
> HTTP/1.1 301 Moved Permanently
> < Date: Fri, 27 May 2022 13:53:28 GMT
> Date: Fri, 27 May 2022 13:53:28 GMT
> < Server: Apache/redactedversion
> Server: Apache/redactedversion
> < Location: https://ipaserver.fisica.cabib/ipa/ui
> Location: https://ipaserver.fisica.cabib/ipa/ui
> < Content-Type: text/html; charset=iso-8859-1
> Content-Type: text/html; charset=iso-8859-1
>
> <
> * Connection #0 to host ipaserver.fisica.cabib left intact
>
> Also attached public cert 
>
>
>  
>
> El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcritten@redhat.com
> <mailto:rcritten@redhat.com>) escribió:
>
>     Gustavo Berman via FreeIPA-users wrote:
>     > Hello there!
>     >
>     > Ubuntu 18.04 (and previous ones) works just fine
>     > In Ubuntu 22.04 I'm trying to execute ipa-client install but it
>     fails with:
>     >
>     > root@fisica75:~# ipa-client-install
>     > This program will set up IPA client.
>     > Version 4.9.8
>     >
>     > WARNING: conflicting time&date synchronization service 'ntp' will be
>     > disabled in favor of chronyd
>     >
>     > Discovery was successful!
>     > Do you want to configure chrony with NTP server or pool address? [no]:
>     > Client hostname: fisica75.fisica.cabib
>     > Realm: FISICA.CABIB
>     > DNS Domain: fisica.cabib
>     > IPA Server: ipaserver.fisica.cabib
>     > BaseDN: dc=fisica,dc=cabib
>     >
>     > Continue to configure the system with these values? [no]: yes
>     > Synchronizing time
>     > No SRV records of NTP servers found and no NTP server or pool address
>     > was provided.
>     > Using default chrony configuration.
>     > Attempting to sync time with chronyc.
>     > Time synchronization was successful.
>     > User authorized to enroll computers: tavo
>     > Password for tavo@FISICA.CABIB:
>     > Successfully retrieved CA cert
>     >     Subject:     CN=Certificate Authority,O=FISICA.CABIB
>     >     Issuer:      CN=Certificate Authority,O=FISICA.CABIB
>     >     Valid From:  2014-01-14 12:56:57
>     >     Valid Until: 2034-01-14 12:56:57
>     >
>     > Enrolled in IPA realm FISICA.CABIB
>     > Created /etc/ipa/default.conf
>     > Configured /etc/sssd/sssd.conf
>     > Configured /etc/krb5.conf for IPA realm FISICA.CABIB
>     > cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
>     > CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname
>     mismatch,
>     > certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
>     > The ipa-client-install command failed. See
>     > /var/log/ipaclient-install.log for more information
>     > root@fisica75:~#
>     >
>     > There is no Hostname mismatch for the server certificate. It has been
>     > working just fine for years with multiple distros as clients. I can
>     > access the website with the same URL and cert is just fine.
>     >
>
>     The error message is pretty clear and comes out of openssl. Can we see
>     the web server certificate from that host? Can you confirm that the host
>     the client connected to is actually this host (e.g. DNS or /etc/host
>     issues)?
>
>     rob
>
>
>
> --
> Gustavo Berman
> Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA