Hi Martin, this is the output from the id1 host: certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u ipaCert u,u,u Server-Cert u,u,u PROD.XXXXXXXXXXXXX.COM IPA CA CT,C,C looks just like you suggested. Any other suggestion? On 7 November 2016 at 10:56, Martin Babinsky <[email protected]> wrote: > On 11/04/2016 04:52 PM, Alessandro De Maria wrote: > >> Hello, >> >> I have a FreeIPA installation that is working very nicely, we already >> have configured many hosts and so far we are quite happy with it. >> >> I was trying to connect Ansible to fetch hosts from FreeIPA using the >> freeipa.py script >> (https://github.com/ansible/ansible/blob/devel/contrib/inven >> tory/freeipa.py) >> >> Unfortunately when I run it, I get the following: >> >> *ipa: ERROR: cert validation failed for >> "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM >> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's >> certificate issuer has been marked as not trusted by the user.)* >> *ipa: ERROR: cert validation failed for >> "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM >> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's >> certificate issuer has been marked as not trusted by the user.)* >> *Traceback (most recent call last):* >> * File "./freeipa.py", line 82, in <module>* >> * api = initialize()* >> * File "./freeipa.py", line 17, in initialize* >> * api.Backend.rpcclient.connect()* >> * File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66, >> in connect* >> * conn = self.create_connection(*args, **kw)* >> * File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 939, in >> create_connection* >> * error=', '.join(urls))* >> *ipalib.errors.NetworkError: cannot connect to 'any of the configured >> servers': https://id1.prod.**xxxxxxxx**.com/ipa/json, >> https://id2.prod.**xxxxxxxx**.com/ipa/json* >> >> >> If I curl the URL, it works just fine ( I imported the CA Certificate in >> the system directory /etc/ssl/certs). >> >> I have run `openssl s_client` connect and downloaded the remote >> certificate locally, then I run: >> >> # openssl verify cert.pem >> # *id1.prod.**xxxxxxxx**.com.pem*: OK >> >> >> Would you help me figure out what's going on? >> >> >> >> -- >> Alessandro De Maria >> [email protected] <mailto:[email protected]> >> >> >> > Hi Alessandro, > > this error can mean that the CA certificate in IPA NSS database has wrong > trust flags set. Please make sure that there is IPA CA certificate present > on /etc/httpd/alias and it has trust flags CT,C,C like this: > > # certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > ipaCert u,u,u > Server-Cert u,u,u > <$REALM> IPA CA CT,C,C > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Alessandro De Maria [email protected]
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
