Hi Martin, I tried from the host I am executing the script from, and I get: certutil -L -d /etc/httpd/alias/ certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
>From the FreeIPA server, as I said previously, I get: certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u ipaCert u,u,u Server-Cert u,u,u PROD.XXXXXXXXXXXXX.COM <http://prod.xxxxxxxxxxxxx.com/> IPA CA CT,C,C >From the FreeIPA server, I seem to be able to run the script, so we are definitely on the right track. How do I get the /etc/httpd/alias/ in sync across these hosts? can I copy it, or is there a way to regenerate it? Regards Alessandro On 7 November 2016 at 15:36, Alessandro De Maria < [email protected]> wrote: > Hi Martin, this is the output from the id1 host: > > certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Signing-Cert u,u,u > ipaCert u,u,u > Server-Cert u,u,u > PROD.XXXXXXXXXXXXX.COM IPA CA CT,C,C > > > looks just like you suggested. Any other suggestion? > > On 7 November 2016 at 10:56, Martin Babinsky <[email protected]> wrote: > >> On 11/04/2016 04:52 PM, Alessandro De Maria wrote: >> >>> Hello, >>> >>> I have a FreeIPA installation that is working very nicely, we already >>> have configured many hosts and so far we are quite happy with it. >>> >>> I was trying to connect Ansible to fetch hosts from FreeIPA using the >>> freeipa.py script >>> (https://github.com/ansible/ansible/blob/devel/contrib/inven >>> tory/freeipa.py) >>> >>> Unfortunately when I run it, I get the following: >>> >>> *ipa: ERROR: cert validation failed for >>> "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM >>> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's >>> certificate issuer has been marked as not trusted by the user.)* >>> *ipa: ERROR: cert validation failed for >>> "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM >>> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's >>> certificate issuer has been marked as not trusted by the user.)* >>> *Traceback (most recent call last):* >>> * File "./freeipa.py", line 82, in <module>* >>> * api = initialize()* >>> * File "./freeipa.py", line 17, in initialize* >>> * api.Backend.rpcclient.connect()* >>> * File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66, >>> in connect* >>> * conn = self.create_connection(*args, **kw)* >>> * File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 939, in >>> create_connection* >>> * error=', '.join(urls))* >>> *ipalib.errors.NetworkError: cannot connect to 'any of the configured >>> servers': https://id1.prod.**xxxxxxxx**.com/ipa/json, >>> https://id2.prod.**xxxxxxxx**.com/ipa/json* >>> >>> >>> If I curl the URL, it works just fine ( I imported the CA Certificate in >>> the system directory /etc/ssl/certs). >>> >>> I have run `openssl s_client` connect and downloaded the remote >>> certificate locally, then I run: >>> >>> # openssl verify cert.pem >>> # *id1.prod.**xxxxxxxx**.com.pem*: OK >>> >>> >>> Would you help me figure out what's going on? >>> >>> >>> >>> -- >>> Alessandro De Maria >>> [email protected] <mailto:[email protected]> >>> >>> >>> >> Hi Alessandro, >> >> this error can mean that the CA certificate in IPA NSS database has wrong >> trust flags set. Please make sure that there is IPA CA certificate present >> on /etc/httpd/alias and it has trust flags CT,C,C like this: >> >> # certutil -L -d /etc/httpd/alias/ >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> ipaCert u,u,u >> Server-Cert u,u,u >> <$REALM> IPA CA CT,C,C >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > -- > Alessandro De Maria > [email protected] > -- Alessandro De Maria [email protected]
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
