Here's info obtained from the same client using openssl, you can se that
subject CN is fine.
localadmin@fisica75:~$ echo | openssl s_client -showcerts -servername
ipaserver.fisica.cabib -connect ipaserver.fisica.cabib:443 2>/dev/null |
openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 536805412 (0x1fff0024)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = FISICA.CABIB, CN = Certificate Authority
Validity
Not Before: Jul 14 14:25:06 2020 GMT
Not After : Jul 15 14:25:06 2022 GMT
Subject: O = FISICA.CABIB, CN = ipaserver.fisica.cabib
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f5:93:fb:bc:b8:fe:de:48:e0:e1:e0:64:9e:2a:
a9:89:8f:9d:81:9b:ac:4a:81:79:21:60:23:d2:7b:
fa:52:1f:4c:fd:9d:27:88:c5:26:29:16:0d:36:f6:
4c:8b:5e:98:14:33:84:8b:81:1f:fd:7c:52:d8:a9:
db:c2:69:cd:82:ba:81:9a:e8:a7:91:cb:08:4d:c5:
14:26:c2:c4:23:c3:c3:9e:3a:e0:c7:98:ce:60:93:
fc:45:23:43:f2:f5:e7:a3:1f:5e:9a:09:3d:8f:68:
db:1e:39:61:68:2a:13:86:ad:70:37:ff:ef:12:76:
0c:25:15:84:bf:fe:55:c5:23:bb:fb:18:21:3e:85:
6d:11:f9:02:53:c6:0d:15:14:d1:fc:79:a0:34:db:
ff:f9:d7:e4:e2:4e:a5:2b:e3:58:b6:0a:c2:3e:c4:
a9:61:a9:11:53:d3:3b:7c:06:fe:f7:e6:e3:be:46:
65:90:11:74:9b:79:13:23:27:28:3d:15:b9:e9:79:
3c:3b:00:43:08:58:e9:08:ce:30:85:3d:a0:01:d2:
63:d9:04:21:4e:19:97:9c:3a:c2:76:b4:4c:3a:1d:
fd:2c:51:fb:16:52:31:8c:60:2a:f3:f8:9a:d7:4c:
d8:c9:4b:f3:66:71:ad:e3:68:4c:80:f3:77:3c:9d:
ef:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
F4:2B:56:59:29:C3:E4:51:54:1A:9C:3F:F8:47:F1:F7:B6:3B:14:32
Authority Information Access:
OCSP - URI:http://ipa-ca.fisica.cabib/ca/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://ipa-ca.fisica.cabib/ipa/crl/MasterCRL.bin
CRL Issuer:
DirName:O = ipaca, CN = Certificate Authority
X509v3 Subject Key Identifier:
3E:8B:95:9F:DA:91:46:4C:2C:32:98:48:07:61:6A:30:6F:C1:B3:2D
X509v3 Subject Alternative Name:
othername: UPN::HTTP/ipaserver.fisica.cabib@FISICA.CABIB,
othername: 1.3.6.1.5.2.2::<unsupported>
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
b6:fb:01:20:bf:2e:b8:75:b7:64:8e:bf:fd:37:59:52:56:15:
a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37:
ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d:
bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92:
1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f:
6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b:
e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7:
91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49:
66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48:
c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba:
5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f:
77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17:
68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b:
38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03:
dd:92:d4:68
localadmin@fisica75:~$
And more info obtained with curl:
localadmin@fisica75:~$ curl --insecure -vvI
https://ipaserver.fisica.cabib
* Trying 10.reda.cted.ip:443...
* Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib
* start date: Jul 14 14:25:06 2020 GMT
* expire date: Jul 15 14:25:06 2022 GMT
* issuer: O=FISICA.CABIB; CN=Certificate Authority
* SSL certificate verify result: self-signed certificate in certificate
chain (19), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
HEAD / HTTP/1.1
Host: ipaserver.fisica.cabib
User-Agent: curl/7.81.0
Accept: */*
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Date: Fri, 27 May 2022 13:53:28 GMT
Date: Fri, 27 May 2022 13:53:28 GMT
< Server: Apache/redactedversion
Server: Apache/redactedversion
< Location:
https://ipaserver.fisica.cabib/ipa/ui
Location:
https://ipaserver.fisica.cabib/ipa/ui
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
<
* Connection #0 to host ipaserver.fisica.cabib left intact
Also attached public cert
El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcritten(a)redhat.com)
escribió:
Gustavo Berman via FreeIPA-users wrote:
> Hello there!
>
> Ubuntu 18.04 (and previous ones) works just fine
> In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails
with:
>
> root@fisica75:~# ipa-client-install
> This program will set up IPA client.
> Version 4.9.8
>
> WARNING: conflicting time&date synchronization service 'ntp' will be
> disabled in favor of chronyd
>
> Discovery was successful!
> Do you want to configure chrony with NTP server or pool address? [no]:
> Client hostname: fisica75.fisica.cabib
> Realm: FISICA.CABIB
> DNS Domain: fisica.cabib
> IPA Server: ipaserver.fisica.cabib
> BaseDN: dc=fisica,dc=cabib
>
> Continue to configure the system with these values? [no]: yes
> Synchronizing time
> No SRV records of NTP servers found and no NTP server or pool address
> was provided.
> Using default chrony configuration.
> Attempting to sync time with chronyc.
> Time synchronization was successful.
> User authorized to enroll computers: tavo
> Password for tavo(a)FISICA.CABIB:
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=FISICA.CABIB
> Issuer: CN=Certificate Authority,O=FISICA.CABIB
> Valid From: 2014-01-14 12:56:57
> Valid Until: 2034-01-14 12:56:57
>
> Enrolled in IPA realm FISICA.CABIB
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm FISICA.CABIB
> cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
> certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
> The ipa-client-install command failed. See
> /var/log/ipaclient-install.log for more information
> root@fisica75:~#
>
> There is no Hostname mismatch for the server certificate. It has been
> working just fine for years with multiple distros as clients. I can
> access the website with the same URL and cert is just fine.
>
The error message is pretty clear and comes out of openssl. Can we see
the web server certificate from that host? Can you confirm that the host
the client connected to is actually this host (e.g. DNS or /etc/host
issues)?
rob
--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA