On 07/31/2017 03:38 AM, Alka Murali via FreeIPA-users wrote:
Hello Florence,Hi,
I have checked the output for the ldapsearch command and I can see the IPA CA as well as the third party CA on my /etc/ipa/ca.crt file on my IPA Server.
Even I tried installing the client by giving the option ca-cert-file="" with my ca.crt file in IPA Server copied locally to my IPA Client in one path. However, it was still giving the certificate as untrusted. Is there any issue in enrolling IPA Client Version 3.3 with IPA Server version 4.4 with third part Certificate installed? If I use self-sgined CA of IPA Server alone, the enrolment is carried on successfully.
Awaiting your reply.
Thanks and Regards,
Alka Murali
IPA client 3.3 does not support installation with multiple CA certs (see BZ 1457402 [1]). In your case, as you installed IPA server with an embedded CA and then changed the HTTP and LDAP certificates with 3rd-part certs, you end up with 2 CAs (the one embedded in IPA and the 3rd part CA), and the tool ipa-client-install is not able to download both.
You can try to follow this note: How to use a certificate from a third party Certificate Authority (CA) with Apache on IdM server [2] or the following procedure:
- copy /etc/ipa/ca.crt from the master to the client
- run ipa-client-install without the --ca-cert-file option. In this case, ipa-client-install reuses the existing /etc/ipa/ca.crt file and should complete successfully.
Flo
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1457402
[2] https://access.redhat.com/solutions/2090871
<mailto:freeipa-users@lists.feOn Fri, Jul 28, 2017 at 10:17 PM, Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com>> wrote:
On 07/28/2017 03:51 AM, Alka Murali via FreeIPA-users wrote:
I Cannot enrol and do the ipa-client-install on Ubuntu 14.04 to
IPA Server (4.4). My IPA Server is having third party
certificates for HTTP/LDAP. I have installed it using the
suggestions in
https://www.freeipa.org/page/Using_3rd_part_certificates_for _HTTP/LDAP
<https://www.freeipa.org/page/Using_3rd_part_certificates_fo >r_HTTP/LDAP
Other version of Ubuntu like 16.04 is enrolled fine.
Here is the error message that I get during the installation
----
cert validation failed for
"CN=*.*.*,O=*.*,((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
issuer has been marked as not trusted by the user.)
Cannot connect to the server due to generic error: cannot
connect to 'https://*.*.*.*/ipa/xml
<https://%2A.%2A.%2A.%2A/ipa/xml>': [Errno -8172]
(SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
marked as not trusted by the user.
Installation failed. Rolling back changes.
certmonger failed to start: [Errno 2] No such file or directory:
'/var/run/ipa/services.list'
certmonger failed to stop: [Errno 2] No such file or directory:
'/var/run/ipa/services.list'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm:
Configuration file does not specify default realm.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
to /etc/sssd/sssd.conf.deleted
SSSD service could not be stopped
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
-----
Is it due to my third part cert? If so, please provide a
suggestion so that I can enrol my Ubuntu Client to my IPA Server.
I am attaching the logs for your reference.
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org dorahosted.org >
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org >
Hi,
from the logs we can see that the client retrieved IPA CA cert:
2017-07-27T07:28:25Z INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=*.*.*
Issuer: CN=Certificate Authority,O=*.*.*
Valid From: Tue Apr 11 01:18:51 2017 UTC
Valid Until: Sat Apr 11 01:18:51 2037 UTC
but there is no trace of the 3rd-part CA which should also be
displayed here.
If there is a file /etc/ipa/ca.crt left on the client after the
unsuccessful installation, can you check if it also contains the 3rd
part CA cert (ie the one that you added using ipa-cacert-manage)? If
not, you can check on the IPA server with (replace BASEDN with your
basedn that can be found in /etc/ipa/default.conf):
$ ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,$BASEDN
The output should contain an entry corresponding to the 3rd-part CA
cert. If it is missing, make sure that you run ipa-cacert-manage
install and ipa-certupdate to load the 3rd part CA before enrolling
the client (ipa-cacert-manage on one of IPA servers, ipa-certupdate
on all server/replicas/clients).
HTH,
Flo.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org