7:37 a.m.
Hello there!
Ubuntu 18.04 (and previous ones) works just fine
In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails with:
root@fisica75:~# ipa-client-install
This program will set up IPA client.
Version 4.9.8
WARNING: conflicting time&date synchronization service 'ntp' will be
disabled in favor of chronyd
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: fisica75.fisica.cabib
Realm: FISICA.CABIB
DNS Domain: fisica.cabib
IPA Server: ipaserver.fisica.cabib
BaseDN: dc=fisica,dc=cabib
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was
provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: tavo
Password for tavo(a)FISICA.CABIB:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=FISICA.CABIB
Issuer: CN=Certificate Authority,O=FISICA.CABIB
Valid From: 2014-01-14 12:56:57
Valid Until: 2034-01-14 12:56:57
Enrolled in IPA realm FISICA.CABIB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm FISICA.CABIB
cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
The ipa-client-install command failed. See /var/log/ipaclient-install.log
for more information
root@fisica75:~#
There is no Hostname mismatch for the server certificate. It has been
working just fine for years with multiple distros as clients. I can access
the website with the same URL and cert is just fine.
Any ideas?
Thanks!
--
Gustavo Berman
8:20 a.m.
Gustavo Berman via FreeIPA-users wrote:
Hello there!
Ubuntu 18.04 (and previous ones) works just fine
In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails with:
root@fisica75:~# ipa-client-install
This program will set up IPA client.
Version 4.9.8
WARNING: conflicting time&date synchronization service 'ntp' will be
disabled in favor of chronyd
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: fisica75.fisica.cabib
Realm: FISICA.CABIB
DNS Domain: fisica.cabib
IPA Server: ipaserver.fisica.cabib
BaseDN: dc=fisica,dc=cabib
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address
was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: tavo
Password for tavo(a)FISICA.CABIB:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=FISICA.CABIB
Issuer: CN=Certificate Authority,O=FISICA.CABIB
Valid From: 2014-01-14 12:56:57
Valid Until: 2034-01-14 12:56:57
Enrolled in IPA realm FISICA.CABIB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm FISICA.CABIB
cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
The ipa-client-install command failed. See
/var/log/ipaclient-install.log for more information
root@fisica75:~#
There is no Hostname mismatch for the server certificate. It has been
working just fine for years with multiple distros as clients. I can
access the website with the same URL and cert is just fine.
The error message is pretty clear and comes out of openssl. Can we see
the web server certificate from that host? Can you confirm that the host
the client connected to is actually this host (e.g. DNS or /etc/host
issues)?
rob
9:05 a.m.
Here's info obtained from the same client using openssl, you can se that
subject CN is fine.
localadmin@fisica75:~$ echo | openssl s_client -showcerts -servername
ipaserver.fisica.cabib -connect ipaserver.fisica.cabib:443 2>/dev/null |
openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 536805412 (0x1fff0024)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = FISICA.CABIB, CN = Certificate Authority
Validity
Not Before: Jul 14 14:25:06 2020 GMT
Not After : Jul 15 14:25:06 2022 GMT
Subject: O = FISICA.CABIB, CN = ipaserver.fisica.cabib
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f5:93:fb:bc:b8:fe:de:48:e0:e1:e0:64:9e:2a:
a9:89:8f:9d:81:9b:ac:4a:81:79:21:60:23:d2:7b:
fa:52:1f:4c:fd:9d:27:88:c5:26:29:16:0d:36:f6:
4c:8b:5e:98:14:33:84:8b:81:1f:fd:7c:52:d8:a9:
db:c2:69:cd:82:ba:81:9a:e8:a7:91:cb:08:4d:c5:
14:26:c2:c4:23:c3:c3:9e:3a:e0:c7:98:ce:60:93:
fc:45:23:43:f2:f5:e7:a3:1f:5e:9a:09:3d:8f:68:
db:1e:39:61:68:2a:13:86:ad:70:37:ff:ef:12:76:
0c:25:15:84:bf:fe:55:c5:23:bb:fb:18:21:3e:85:
6d:11:f9:02:53:c6:0d:15:14:d1:fc:79:a0:34:db:
ff:f9:d7:e4:e2:4e:a5:2b:e3:58:b6:0a:c2:3e:c4:
a9:61:a9:11:53:d3:3b:7c:06:fe:f7:e6:e3:be:46:
65:90:11:74:9b:79:13:23:27:28:3d:15:b9:e9:79:
3c:3b:00:43:08:58:e9:08:ce:30:85:3d:a0:01:d2:
63:d9:04:21:4e:19:97:9c:3a:c2:76:b4:4c:3a:1d:
fd:2c:51:fb:16:52:31:8c:60:2a:f3:f8:9a:d7:4c:
d8:c9:4b:f3:66:71:ad:e3:68:4c:80:f3:77:3c:9d:
ef:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
F4:2B:56:59:29:C3:E4:51:54:1A:9C:3F:F8:47:F1:F7:B6:3B:14:32
Authority Information Access:
OCSP - URI:http://ipa-ca.fisica.cabib/ca/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://ipa-ca.fisica.cabib/ipa/crl/MasterCRL.bin
CRL Issuer:
DirName:O = ipaca, CN = Certificate Authority
X509v3 Subject Key Identifier:
3E:8B:95:9F:DA:91:46:4C:2C:32:98:48:07:61:6A:30:6F:C1:B3:2D
X509v3 Subject Alternative Name:
othername: UPN::HTTP/ipaserver.fisica.cabib@FISICA.CABIB,
othername: 1.3.6.1.5.2.2::<unsupported>
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
b6:fb:01:20:bf:2e:b8:75:b7:64:8e:bf:fd:37:59:52:56:15:
a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37:
ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d:
bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92:
1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f:
6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b:
e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7:
91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49:
66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48:
c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba:
5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f:
77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17:
68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b:
38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03:
dd:92:d4:68
localadmin@fisica75:~$
And more info obtained with curl:
localadmin@fisica75:~$ curl --insecure -vvI https://ipaserver.fisica.cabib
* Trying 10.reda.cted.ip:443...
* Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib
* start date: Jul 14 14:25:06 2020 GMT
* expire date: Jul 15 14:25:06 2022 GMT
* issuer: O=FISICA.CABIB; CN=Certificate Authority
* SSL certificate verify result: self-signed certificate in certificate
chain (19), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
HEAD / HTTP/1.1
Host: ipaserver.fisica.cabib
User-Agent: curl/7.81.0
Accept: */*
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Date: Fri, 27 May 2022 13:53:28 GMT
Date: Fri, 27 May 2022 13:53:28 GMT
< Server: Apache/redactedversion
Server: Apache/redactedversion
< Location: https://ipaserver.fisica.cabib/ipa/ui
Location: https://ipaserver.fisica.cabib/ipa/ui
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
<
* Connection #0 to host ipaserver.fisica.cabib left intact
Also attached public cert
El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcritten(a)redhat.com)
escribió:
Gustavo Berman via FreeIPA-users wrote:
> Hello there!
>
> Ubuntu 18.04 (and previous ones) works just fine
> In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails
with:
>
> root@fisica75:~# ipa-client-install
> This program will set up IPA client.
> Version 4.9.8
>
> WARNING: conflicting time&date synchronization service 'ntp' will be
> disabled in favor of chronyd
>
> Discovery was successful!
> Do you want to configure chrony with NTP server or pool address? [no]:
> Client hostname: fisica75.fisica.cabib
> Realm: FISICA.CABIB
> DNS Domain: fisica.cabib
> IPA Server: ipaserver.fisica.cabib
> BaseDN: dc=fisica,dc=cabib
>
> Continue to configure the system with these values? [no]: yes
> Synchronizing time
> No SRV records of NTP servers found and no NTP server or pool address
> was provided.
> Using default chrony configuration.
> Attempting to sync time with chronyc.
> Time synchronization was successful.
> User authorized to enroll computers: tavo
> Password for tavo(a)FISICA.CABIB:
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=FISICA.CABIB
> Issuer: CN=Certificate Authority,O=FISICA.CABIB
> Valid From: 2014-01-14 12:56:57
> Valid Until: 2034-01-14 12:56:57
>
> Enrolled in IPA realm FISICA.CABIB
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm FISICA.CABIB
> cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
> certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
> The ipa-client-install command failed. See
> /var/log/ipaclient-install.log for more information
> root@fisica75:~#
>
> There is no Hostname mismatch for the server certificate. It has been
> working just fine for years with multiple distros as clients. I can
> access the website with the same URL and cert is just fine.
>
The error message is pretty clear and comes out of openssl. Can we see
the web server certificate from that host? Can you confirm that the host
the client connected to is actually this host (e.g. DNS or /etc/host
issues)?
rob
--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
9:23 a.m.
Thanks, this is very helpful. I wonder if the same s_client and curl
commands work from the Ubuntu 22.04 machine or if they'll fail in the
same way.
The cert lacks a DNS SAN for the hostname. I suspect this may be the
issue (using the CN has been deprecated forever but was still allowed in
most libraries). What version of OpenSSL is on 22.04?
rob
Gustavo Berman wrote:
Here's info obtained from the same client using openssl, you can
se that
subject CN is fine.
localadmin@fisica75:~$ echo | openssl s_client -showcerts -servername
ipaserver.fisica.cabib -connect ipaserver.fisica.cabib:443 2>/dev/null |
openssl x509 -inform pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 536805412 (0x1fff0024)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = FISICA.CABIB, CN = Certificate Authority
Validity
Not Before: Jul 14 14:25:06 2020 GMT
Not After : Jul 15 14:25:06 2022 GMT
Subject: O = FISICA.CABIB, CN = ipaserver.fisica.cabib
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f5:93:fb:bc:b8:fe:de:48:e0:e1:e0:64:9e:2a:
a9:89:8f:9d:81:9b:ac:4a:81:79:21:60:23:d2:7b:
fa:52:1f:4c:fd:9d:27:88:c5:26:29:16:0d:36:f6:
4c:8b:5e:98:14:33:84:8b:81:1f:fd:7c:52:d8:a9:
db:c2:69:cd:82:ba:81:9a:e8:a7:91:cb:08:4d:c5:
14:26:c2:c4:23:c3:c3:9e:3a:e0:c7:98:ce:60:93:
fc:45:23:43:f2:f5:e7:a3:1f:5e:9a:09:3d:8f:68:
db:1e:39:61:68:2a:13:86:ad:70:37:ff:ef:12:76:
0c:25:15:84:bf:fe:55:c5:23:bb:fb:18:21:3e:85:
6d:11:f9:02:53:c6:0d:15:14:d1:fc:79:a0:34:db:
ff:f9:d7:e4:e2:4e:a5:2b:e3:58:b6:0a:c2:3e:c4:
a9:61:a9:11:53:d3:3b:7c:06:fe:f7:e6:e3:be:46:
65:90:11:74:9b:79:13:23:27:28:3d:15:b9:e9:79:
3c:3b:00:43:08:58:e9:08:ce:30:85:3d:a0:01:d2:
63:d9:04:21:4e:19:97:9c:3a:c2:76:b4:4c:3a:1d:
fd:2c:51:fb:16:52:31:8c:60:2a:f3:f8:9a:d7:4c:
d8:c9:4b:f3:66:71:ad:e3:68:4c:80:f3:77:3c:9d:
ef:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
F4:2B:56:59:29:C3:E4:51:54:1A:9C:3F:F8:47:F1:F7:B6:3B:14:32
Authority Information Access:
OCSP - URI:http://ipa-ca.fisica.cabib/ca/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://ipa-ca.fisica.cabib/ipa/crl/MasterCRL.bin
CRL Issuer:
DirName:O = ipaca, CN = Certificate Authority
X509v3 Subject Key Identifier:
3E:8B:95:9F:DA:91:46:4C:2C:32:98:48:07:61:6A:30:6F:C1:B3:2D
X509v3 Subject Alternative Name:
othername:
UPN::HTTP/ipaserver.fisica.cabib@FISICA.CABIB, othername:
1.3.6.1.5.2.2::<unsupported>
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
b6:fb:01:20:bf:2e:b8:75:b7:64:8e:bf:fd:37:59:52:56:15:
a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37:
ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d:
bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92:
1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f:
6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b:
e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7:
91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49:
66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48:
c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba:
5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f:
77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17:
68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b:
38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03:
dd:92:d4:68
localadmin@fisica75:~$
And more info obtained with curl:
localadmin@fisica75:~$ curl --insecure -vvI https://ipaserver.fisica.cabib
* Trying 10.reda.cted.ip:443...
* Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib
* start date: Jul 14 14:25:06 2020 GMT
* expire date: Jul 15 14:25:06 2022 GMT
* issuer: O=FISICA.CABIB; CN=Certificate Authority
* SSL certificate verify result: self-signed certificate in certificate
chain (19), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD / HTTP/1.1
> Host: ipaserver.fisica.cabib
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Date: Fri, 27 May 2022 13:53:28 GMT
Date: Fri, 27 May 2022 13:53:28 GMT
< Server: Apache/redactedversion
Server: Apache/redactedversion
< Location: https://ipaserver.fisica.cabib/ipa/ui
Location: https://ipaserver.fisica.cabib/ipa/ui
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
<
* Connection #0 to host ipaserver.fisica.cabib left intact
Also attached public cert
El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcritten(a)redhat.com
<mailto:rcritten@redhat.com>) escribió:
Gustavo Berman via FreeIPA-users wrote:
> Hello there!
>
> Ubuntu 18.04 (and previous ones) works just fine
> In Ubuntu 22.04 I'm trying to execute ipa-client install but it
fails with:
>
> root@fisica75:~# ipa-client-install
> This program will set up IPA client.
> Version 4.9.8
>
> WARNING: conflicting time&date synchronization service 'ntp' will
be
> disabled in favor of chronyd
>
> Discovery was successful!
> Do you want to configure chrony with NTP server or pool address? [no]:
> Client hostname: fisica75.fisica.cabib
> Realm: FISICA.CABIB
> DNS Domain: fisica.cabib
> IPA Server: ipaserver.fisica.cabib
> BaseDN: dc=fisica,dc=cabib
>
> Continue to configure the system with these values? [no]: yes
> Synchronizing time
> No SRV records of NTP servers found and no NTP server or pool address
> was provided.
> Using default chrony configuration.
> Attempting to sync time with chronyc.
> Time synchronization was successful.
> User authorized to enroll computers: tavo
> Password for tavo(a)FISICA.CABIB:
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=FISICA.CABIB
> Issuer: CN=Certificate Authority,O=FISICA.CABIB
> Valid From: 2014-01-14 12:56:57
> Valid Until: 2034-01-14 12:56:57
>
> Enrolled in IPA realm FISICA.CABIB
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm FISICA.CABIB
> cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname
mismatch,
> certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
> The ipa-client-install command failed. See
> /var/log/ipaclient-install.log for more information
> root@fisica75:~#
>
> There is no Hostname mismatch for the server certificate. It has been
> working just fine for years with multiple distros as clients. I can
> access the website with the same URL and cert is just fine.
>
The error message is pretty clear and comes out of openssl. Can we see
the web server certificate from that host? Can you confirm that the host
the client connected to is actually this host (e.g. DNS or /etc/host
issues)?
rob
--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
9:38 a.m.
OpenSSL 3.0.2-0ubuntu1.1 is installed in 22.04
Previous email with openssl and curl commands were runt in ubuntu 22.04
El vie, 27 may 2022 a la(s) 11:23, Rob Crittenden (rcritten(a)redhat.com)
escribió:
Thanks, this is very helpful. I wonder if the same s_client and curl
commands work from the Ubuntu 22.04 machine or if they'll fail in the
same way.
The cert lacks a DNS SAN for the hostname. I suspect this may be the
issue (using the CN has been deprecated forever but was still allowed in
most libraries). What version of OpenSSL is on 22.04?
rob
Gustavo Berman wrote:
> Here's info obtained from the same client using openssl, you can se that
> subject CN is fine.
>
> localadmin@fisica75:~$ echo | openssl s_client -showcerts -servername
> ipaserver.fisica.cabib -connect ipaserver.fisica.cabib:443 2>/dev/null |
> openssl x509 -inform pem -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 536805412 (0x1fff0024)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: O = FISICA.CABIB, CN = Certificate Authority
> Validity
> Not Before: Jul 14 14:25:06 2020 GMT
> Not After : Jul 15 14:25:06 2022 GMT
> Subject: O = FISICA.CABIB, CN = ipaserver.fisica.cabib
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:f5:93:fb:bc:b8:fe:de:48:e0:e1:e0:64:9e:2a:
> a9:89:8f:9d:81:9b:ac:4a:81:79:21:60:23:d2:7b:
> fa:52:1f:4c:fd:9d:27:88:c5:26:29:16:0d:36:f6:
> 4c:8b:5e:98:14:33:84:8b:81:1f:fd:7c:52:d8:a9:
> db:c2:69:cd:82:ba:81:9a:e8:a7:91:cb:08:4d:c5:
> 14:26:c2:c4:23:c3:c3:9e:3a:e0:c7:98:ce:60:93:
> fc:45:23:43:f2:f5:e7:a3:1f:5e:9a:09:3d:8f:68:
> db:1e:39:61:68:2a:13:86:ad:70:37:ff:ef:12:76:
> 0c:25:15:84:bf:fe:55:c5:23:bb:fb:18:21:3e:85:
> 6d:11:f9:02:53:c6:0d:15:14:d1:fc:79:a0:34:db:
> ff:f9:d7:e4:e2:4e:a5:2b:e3:58:b6:0a:c2:3e:c4:
> a9:61:a9:11:53:d3:3b:7c:06:fe:f7:e6:e3:be:46:
> 65:90:11:74:9b:79:13:23:27:28:3d:15:b9:e9:79:
> 3c:3b:00:43:08:58:e9:08:ce:30:85:3d:a0:01:d2:
> 63:d9:04:21:4e:19:97:9c:3a:c2:76:b4:4c:3a:1d:
> fd:2c:51:fb:16:52:31:8c:60:2a:f3:f8:9a:d7:4c:
> d8:c9:4b:f3:66:71:ad:e3:68:4c:80:f3:77:3c:9d:
> ef:ab
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Authority Key Identifier:
>
F4:2B:56:59:29:C3:E4:51:54:1A:9C:3F:F8:47:F1:F7:B6:3B:14:32
> Authority Information Access:
> OCSP - URI:http://ipa-ca.fisica.cabib/ca/ocsp
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation, Key Encipherment,
> Data Encipherment
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
Authentication
> X509v3 CRL Distribution Points:
> Full Name:
> URI:http://ipa-ca.fisica.cabib/ipa/crl/MasterCRL.bin
> CRL Issuer:
> DirName:O = ipaca, CN = Certificate Authority
> X509v3 Subject Key Identifier:
>
3E:8B:95:9F:DA:91:46:4C:2C:32:98:48:07:61:6A:30:6F:C1:B3:2D
> X509v3 Subject Alternative Name:
> othername:
> UPN::HTTP/ipaserver.fisica.cabib@FISICA.CABIB, othername:
> 1.3.6.1.5.2.2::<unsupported>
> Signature Algorithm: sha256WithRSAEncryption
> Signature Value:
> b6:fb:01:20:bf:2e:b8:75:b7:64:8e:bf:fd:37:59:52:56:15:
> a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37:
> ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d:
> bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92:
> 1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f:
> 6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b:
> e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7:
> 91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49:
> 66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48:
> c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba:
> 5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f:
> 77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17:
> 68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b:
> 38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03:
> dd:92:d4:68
> localadmin@fisica75:~$
>
>
> And more info obtained with curl:
>
> localadmin@fisica75:~$ curl --insecure -vvI
https://ipaserver.fisica.cabib
> * Trying 10.reda.cted.ip:443...
> * Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * TLSv1.0 (OUT), TLS header, Certificate Status (22):
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS header, Finished (20):
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS header, Finished (20):
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server did not agree to a protocol
> * Server certificate:
> * subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib
> * start date: Jul 14 14:25:06 2020 GMT
> * expire date: Jul 15 14:25:06 2022 GMT
> * issuer: O=FISICA.CABIB; CN=Certificate Authority
> * SSL certificate verify result: self-signed certificate in certificate
> chain (19), continuing anyway.
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
>> HEAD / HTTP/1.1
>> Host: ipaserver.fisica.cabib
>> User-Agent: curl/7.81.0
>> Accept: */*
>>
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 301 Moved Permanently
> HTTP/1.1 301 Moved Permanently
> < Date: Fri, 27 May 2022 13:53:28 GMT
> Date: Fri, 27 May 2022 13:53:28 GMT
> < Server: Apache/redactedversion
> Server: Apache/redactedversion
> < Location: https://ipaserver.fisica.cabib/ipa/ui
> Location: https://ipaserver.fisica.cabib/ipa/ui
> < Content-Type: text/html; charset=iso-8859-1
> Content-Type: text/html; charset=iso-8859-1
>
> <
> * Connection #0 to host ipaserver.fisica.cabib left intact
>
> Also attached public cert
>
>
>
>
> El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>) escribió:
>
> Gustavo Berman via FreeIPA-users wrote:
> > Hello there!
> >
> > Ubuntu 18.04 (and previous ones) works just fine
> > In Ubuntu 22.04 I'm trying to execute ipa-client install but it
> fails with:
> >
> > root@fisica75:~# ipa-client-install
> > This program will set up IPA client.
> > Version 4.9.8
> >
> > WARNING: conflicting time&date synchronization service 'ntp'
will
be
> > disabled in favor of chronyd
> >
> > Discovery was successful!
> > Do you want to configure chrony with NTP server or pool address?
[no]:
> > Client hostname: fisica75.fisica.cabib
> > Realm: FISICA.CABIB
> > DNS Domain: fisica.cabib
> > IPA Server: ipaserver.fisica.cabib
> > BaseDN: dc=fisica,dc=cabib
> >
> > Continue to configure the system with these values? [no]: yes
> > Synchronizing time
> > No SRV records of NTP servers found and no NTP server or pool
address
> > was provided.
> > Using default chrony configuration.
> > Attempting to sync time with chronyc.
> > Time synchronization was successful.
> > User authorized to enroll computers: tavo
> > Password for tavo(a)FISICA.CABIB:
> > Successfully retrieved CA cert
> > Subject: CN=Certificate Authority,O=FISICA.CABIB
> > Issuer: CN=Certificate Authority,O=FISICA.CABIB
> > Valid From: 2014-01-14 12:56:57
> > Valid Until: 2034-01-14 12:56:57
> >
> > Enrolled in IPA realm FISICA.CABIB
> > Created /etc/ipa/default.conf
> > Configured /etc/sssd/sssd.conf
> > Configured /etc/krb5.conf for IPA realm FISICA.CABIB
> > cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
> > CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname
> mismatch,
> > certificate is not valid for 'ipaserver.fisica.cabib'.
(_ssl.c:997)
> > The ipa-client-install command failed. See
> > /var/log/ipaclient-install.log for more information
> > root@fisica75:~#
> >
> > There is no Hostname mismatch for the server certificate. It has
been
> > working just fine for years with multiple distros as clients. I can
> > access the website with the same URL and cert is just fine.
> >
>
> The error message is pretty clear and comes out of openssl. Can we
see
> the web server certificate from that host? Can you confirm that the
host
> the client connected to is actually this host (e.g. DNS or /etc/host
> issues)?
>
> rob
>
>
>
> --
> Gustavo Berman
> Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
12:09 p.m.
[solved]
As stated, SAN was missing in my certificates
I resubmitted my certificate at the ipa server adding SAN with:
# getcert resubmit -i <certmonger_request_id> -D $(hostname)
Now I can execute ipa-client-install without a problem!
Thanks!
El vie, 27 may 2022 a la(s) 11:38, Gustavo Berman (gustavoberman(a)gmail.com)
escribió:
OpenSSL 3.0.2-0ubuntu1.1 is installed in 22.04
Previous email with openssl and curl commands were runt in ubuntu 22.04
El vie, 27 may 2022 a la(s) 11:23, Rob Crittenden (rcritten(a)redhat.com)
escribió:
> Thanks, this is very helpful. I wonder if the same s_client and curl
> commands work from the Ubuntu 22.04 machine or if they'll fail in the
> same way.
>
> The cert lacks a DNS SAN for the hostname. I suspect this may be the
> issue (using the CN has been deprecated forever but was still allowed in
> most libraries). What version of OpenSSL is on 22.04?
>
> rob
>
> Gustavo Berman wrote:
> > Here's info obtained from the same client using openssl, you can se that
> > subject CN is fine.
> >
> > localadmin@fisica75:~$ echo | openssl s_client -showcerts -servername
> > ipaserver.fisica.cabib -connect ipaserver.fisica.cabib:443 2>/dev/null |
> > openssl x509 -inform pem -noout -text
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number: 536805412 (0x1fff0024)
> > Signature Algorithm: sha256WithRSAEncryption
> > Issuer: O = FISICA.CABIB, CN = Certificate Authority
> > Validity
> > Not Before: Jul 14 14:25:06 2020 GMT
> > Not After : Jul 15 14:25:06 2022 GMT
> > Subject: O = FISICA.CABIB, CN = ipaserver.fisica.cabib
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > Public-Key: (2048 bit)
> > Modulus:
> > 00:f5:93:fb:bc:b8:fe:de:48:e0:e1:e0:64:9e:2a:
> > a9:89:8f:9d:81:9b:ac:4a:81:79:21:60:23:d2:7b:
> > fa:52:1f:4c:fd:9d:27:88:c5:26:29:16:0d:36:f6:
> > 4c:8b:5e:98:14:33:84:8b:81:1f:fd:7c:52:d8:a9:
> > db:c2:69:cd:82:ba:81:9a:e8:a7:91:cb:08:4d:c5:
> > 14:26:c2:c4:23:c3:c3:9e:3a:e0:c7:98:ce:60:93:
> > fc:45:23:43:f2:f5:e7:a3:1f:5e:9a:09:3d:8f:68:
> > db:1e:39:61:68:2a:13:86:ad:70:37:ff:ef:12:76:
> > 0c:25:15:84:bf:fe:55:c5:23:bb:fb:18:21:3e:85:
> > 6d:11:f9:02:53:c6:0d:15:14:d1:fc:79:a0:34:db:
> > ff:f9:d7:e4:e2:4e:a5:2b:e3:58:b6:0a:c2:3e:c4:
> > a9:61:a9:11:53:d3:3b:7c:06:fe:f7:e6:e3:be:46:
> > 65:90:11:74:9b:79:13:23:27:28:3d:15:b9:e9:79:
> > 3c:3b:00:43:08:58:e9:08:ce:30:85:3d:a0:01:d2:
> > 63:d9:04:21:4e:19:97:9c:3a:c2:76:b4:4c:3a:1d:
> > fd:2c:51:fb:16:52:31:8c:60:2a:f3:f8:9a:d7:4c:
> > d8:c9:4b:f3:66:71:ad:e3:68:4c:80:f3:77:3c:9d:
> > ef:ab
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Authority Key Identifier:
> >
> F4:2B:56:59:29:C3:E4:51:54:1A:9C:3F:F8:47:F1:F7:B6:3B:14:32
> > Authority Information Access:
> > OCSP - URI:http://ipa-ca.fisica.cabib/ca/ocsp
> > X509v3 Key Usage: critical
> > Digital Signature, Non Repudiation, Key Encipherment,
> > Data Encipherment
> > X509v3 Extended Key Usage:
> > TLS Web Server Authentication, TLS Web Client
> Authentication
> > X509v3 CRL Distribution Points:
> > Full Name:
> > URI:http://ipa-ca.fisica.cabib/ipa/crl/MasterCRL.bin
>
> > CRL Issuer:
> > DirName:O = ipaca, CN = Certificate Authority
> > X509v3 Subject Key Identifier:
> >
> 3E:8B:95:9F:DA:91:46:4C:2C:32:98:48:07:61:6A:30:6F:C1:B3:2D
> > X509v3 Subject Alternative Name:
> > othername:
> > UPN::HTTP/ipaserver.fisica.cabib@FISICA.CABIB, othername:
> > 1.3.6.1.5.2.2::<unsupported>
> > Signature Algorithm: sha256WithRSAEncryption
> > Signature Value:
> > b6:fb:01:20:bf:2e:b8:75:b7:64:8e:bf:fd:37:59:52:56:15:
> > a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37:
> > ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d:
> > bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92:
> > 1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f:
> > 6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b:
> > e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7:
> > 91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49:
> > 66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48:
> > c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba:
> > 5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f:
> > 77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17:
> > 68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b:
> > 38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03:
> > dd:92:d4:68
> > localadmin@fisica75:~$
> >
> >
> > And more info obtained with curl:
> >
> > localadmin@fisica75:~$ curl --insecure -vvI
> https://ipaserver.fisica.cabib
> > * Trying 10.reda.cted.ip:443...
> > * Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0)
> > * ALPN, offering h2
> > * ALPN, offering http/1.1
> > * TLSv1.0 (OUT), TLS header, Certificate Status (22):
> > * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> > * TLSv1.2 (IN), TLS header, Certificate Status (22):
> > * TLSv1.3 (IN), TLS handshake, Server hello (2):
> > * TLSv1.2 (IN), TLS handshake, Certificate (11):
> > * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> > * TLSv1.2 (IN), TLS handshake, Server finished (14):
> > * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> > * TLSv1.2 (OUT), TLS header, Finished (20):
> > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> > * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> > * TLSv1.2 (OUT), TLS handshake, Finished (20):
> > * TLSv1.2 (IN), TLS header, Finished (20):
> > * TLSv1.2 (IN), TLS header, Certificate Status (22):
> > * TLSv1.2 (IN), TLS handshake, Finished (20):
> > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> > * ALPN, server did not agree to a protocol
> > * Server certificate:
> > * subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib
> > * start date: Jul 14 14:25:06 2020 GMT
> > * expire date: Jul 15 14:25:06 2022 GMT
> > * issuer: O=FISICA.CABIB; CN=Certificate Authority
> > * SSL certificate verify result: self-signed certificate in certificate
> > chain (19), continuing anyway.
> > * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> >> HEAD / HTTP/1.1
> >> Host: ipaserver.fisica.cabib
> >> User-Agent: curl/7.81.0
> >> Accept: */*
> >>
> > * TLSv1.2 (IN), TLS header, Supplemental data (23):
> > * Mark bundle as not supporting multiuse
> > < HTTP/1.1 301 Moved Permanently
> > HTTP/1.1 301 Moved Permanently
> > < Date: Fri, 27 May 2022 13:53:28 GMT
> > Date: Fri, 27 May 2022 13:53:28 GMT
> > < Server: Apache/redactedversion
> > Server: Apache/redactedversion
> > < Location: https://ipaserver.fisica.cabib/ipa/ui
> > Location: https://ipaserver.fisica.cabib/ipa/ui
> > < Content-Type: text/html; charset=iso-8859-1
> > Content-Type: text/html; charset=iso-8859-1
> >
> > <
> > * Connection #0 to host ipaserver.fisica.cabib left intact
> >
> > Also attached public cert
> >
> >
> >
> >
> > El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcritten(a)redhat.com
> > <mailto:rcritten@redhat.com>) escribió:
> >
> > Gustavo Berman via FreeIPA-users wrote:
> > > Hello there!
> > >
> > > Ubuntu 18.04 (and previous ones) works just fine
> > > In Ubuntu 22.04 I'm trying to execute ipa-client install but it
> > fails with:
> > >
> > > root@fisica75:~# ipa-client-install
> > > This program will set up IPA client.
> > > Version 4.9.8
> > >
> > > WARNING: conflicting time&date synchronization service
'ntp' will
> be
> > > disabled in favor of chronyd
> > >
> > > Discovery was successful!
> > > Do you want to configure chrony with NTP server or pool address?
> [no]:
> > > Client hostname: fisica75.fisica.cabib
> > > Realm: FISICA.CABIB
> > > DNS Domain: fisica.cabib
> > > IPA Server: ipaserver.fisica.cabib
> > > BaseDN: dc=fisica,dc=cabib
> > >
> > > Continue to configure the system with these values? [no]: yes
> > > Synchronizing time
> > > No SRV records of NTP servers found and no NTP server or pool
> address
> > > was provided.
> > > Using default chrony configuration.
> > > Attempting to sync time with chronyc.
> > > Time synchronization was successful.
> > > User authorized to enroll computers: tavo
> > > Password for tavo(a)FISICA.CABIB:
> > > Successfully retrieved CA cert
> > > Subject: CN=Certificate Authority,O=FISICA.CABIB
> > > Issuer: CN=Certificate Authority,O=FISICA.CABIB
> > > Valid From: 2014-01-14 12:56:57
> > > Valid Until: 2034-01-14 12:56:57
> > >
> > > Enrolled in IPA realm FISICA.CABIB
> > > Created /etc/ipa/default.conf
> > > Configured /etc/sssd/sssd.conf
> > > Configured /etc/krb5.conf for IPA realm FISICA.CABIB
> > > cannot connect to 'https://ipaserver.fisica.cabib/ipa/json':
> [SSL:
> > > CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname
> > mismatch,
> > > certificate is not valid for 'ipaserver.fisica.cabib'.
> (_ssl.c:997)
> > > The ipa-client-install command failed. See
> > > /var/log/ipaclient-install.log for more information
> > > root@fisica75:~#
> > >
> > > There is no Hostname mismatch for the server certificate. It has
> been
> > > working just fine for years with multiple distros as clients. I
> can
> > > access the website with the same URL and cert is just fine.
> > >
> >
> > The error message is pretty clear and comes out of openssl. Can we
> see
> > the web server certificate from that host? Can you confirm that the
> host
> > the client connected to is actually this host (e.g. DNS or /etc/host
> > issues)?
> >
> > rob
> >
> >
> >
> > --
> > Gustavo Berman
> > Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
>
>
--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
--
Gustavo Berman
Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
5:13 a.m.
Same here on Fedora37
After installing Fedora37 and freeipa-client 4.10.1 I try to connect the server using:
```
ipa-client-install --mkhomedir --force-join
```
and fail with the error
```
cannot connect to 'https://<IPASERVER-FQDN>ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is
not valid for '<IPASERVER-FQDN>'. (_ssl.c:992)
```
1. The server uses a self-signed certificate, and the CN is matched the
<IPASERVER-FQDN>,
2. The same process works as expected on other clients running freeipa-client 4.9.6 (with
Fedora34)
@Gustavo, did you manage to deal with it?
FREEIPA-CLIENT: 4.10.1
FREEIPA SERVER: 4.6.8
API_VERSION: 2.237
6:48 a.m.
oops, I replied to the first post and missed the whole thread,
I see it's a DNS SAN issue I'll try adding it
484
days inactive
701
days old
freeipa-users@lists.fedorahosted.org
7 comments
3 participants
participants (3)
-
Beni Peled -
Gustavo Berman -
Rob Crittenden