On 11/07/2016 04:45 PM, Alessandro De Maria wrote:
Hi Martin,
I tried from the host I am executing the script from, and I get:
certutil -L -d /etc/httpd/alias/
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
From the FreeIPA server, as I said previously, I get:
certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
ipaCert u,u,u
Server-Cert u,u,u
PROD.XXXXXXXXXXXXX.COM <http://prod.xxxxxxxxxxxxx.com/> IPA CA
CT,C,C
From the FreeIPA server, I seem to be able to run the script, so we are
definitely on the right track.
How do I get the /etc/httpd/alias/ in sync across these hosts? can I
copy it, or is there a way to regenerate it?
Regards
Alessandro
On 7 November 2016 at 15:36, Alessandro De Maria
<[email protected] <mailto:[email protected]>> wrote:
Hi Martin, this is the output from the id1 host:
certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
ipaCert u,u,u
Server-Cert u,u,u
PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM> IPA CA
CT,C,C
looks just like you suggested. Any other suggestion?
On 7 November 2016 at 10:56, Martin Babinsky <[email protected]
<mailto:[email protected]>> wrote:
On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
Hello,
I have a FreeIPA installation that is working very nicely,
we already
have configured many hosts and so far we are quite happy
with it.
I was trying to connect Ansible to fetch hosts from FreeIPA
using the
freeipa.py script
(https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py
<https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py>)
Unfortunately when I run it, I get the following:
*ipa: ERROR: cert validation failed for
"CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
<http://PROD.xxxxxxxx.COM>
<http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)*
*ipa: ERROR: cert validation failed for
"CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
<http://PROD.xxxxxxxx.COM>
<http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)*
*Traceback (most recent call last):*
* File "./freeipa.py", line 82, in <module>*
* api = initialize()*
* File "./freeipa.py", line 17, in initialize*
* api.Backend.rpcclient.connect()*
* File
"/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66,
in connect*
* conn = self.create_connection(*args, **kw)*
* File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py",
line 939, in
create_connection*
* error=', '.join(urls))*
*ipalib.errors.NetworkError: cannot connect to 'any of the
configured
servers': https://id1.prod.**xxxxxxxx**.com/ipa/json,
https://id2.prod.**xxxxxxxx**.com/ipa/json*
If I curl the URL, it works just fine ( I imported the CA
Certificate in
the system directory /etc/ssl/certs).
I have run `openssl s_client` connect and downloaded the remote
certificate locally, then I run:
# openssl verify cert.pem
# *id1.prod.**xxxxxxxx**.com.pem*: OK
Would you help me figure out what's going on?
--
Alessandro De Maria
[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>
Hi Alessandro,
this error can mean that the CA certificate in IPA NSS database
has wrong trust flags set. Please make sure that there is IPA CA
certificate present on /etc/httpd/alias and it has trust flags
CT,C,C like this:
# certutil -L -d /etc/httpd/alias/
Certificate Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI
ipaCert u,u,u
Server-Cert u,u,u
<$REALM> IPA CA CT,C,C
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
Go to http://freeipa.org for more info on the project
--
Alessandro De Maria
[email protected] <mailto:[email protected]>
--
Alessandro De Maria
[email protected] <mailto:[email protected]>
Alessandro,
I have just realized that this may be client-side problem. On the
executor you may need to import CA certificate from IPA server to local
/etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file.
Or you can just enroll the node as IPA client and it will set up all
this stuff for you.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
