Hello Martin, still no luck unfortunately.
The client is an ubuntu 14.04 server, and I believe it is enrolled already. The /etc/ipa/ca.pem is correct and already installed, and I even added it to the /etc/ssl/certs directory (which is why my curl command in the first email does not complain) Commands like *kinit* work just fine, and I have never experienced a problem which would make me doubt of the enrollment of this client. I run the following commands: # mkdir /etc/ipa/nssdb # certutil -A -d /etc/ipa/nssdb -n 'PROD.XXXXXXXXX.COM IPA CA' -t CT,C,C -a < /etc/ipa/ca.crt # chmod +r /etc/ipa/nssdb/* # certutil -L -d /etc/ipa/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI PROD.XXXXXXXX.COM IPA CA CT,C,C But I am still unable to run the script. Is there anything else I need to do? Do I need to restart some components? Any log I could look into? Thank you On 8 November 2016 at 07:56, Martin Babinsky <[email protected]> wrote: > On 11/07/2016 04:45 PM, Alessandro De Maria wrote: > >> Hi Martin, >> >> I tried from the host I am executing the script from, and I get: >> certutil -L -d /etc/httpd/alias/ >> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The >> certificate/key database is in an old, unsupported format. >> >> >> From the FreeIPA server, as I said previously, I get: >> >> certutil -L -d /etc/httpd/alias/ >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> Signing-Cert u,u,u >> ipaCert u,u,u >> Server-Cert u,u,u >> PROD.XXXXXXXXXXXXX.COM <http://prod.xxxxxxxxxxxxx.com/> IPA CA >> CT,C,C >> >> >> From the FreeIPA server, I seem to be able to run the script, so we are >> definitely on the right track. >> How do I get the /etc/httpd/alias/ in sync across these hosts? can I >> copy it, or is there a way to regenerate it? >> >> Regards >> Alessandro >> >> On 7 November 2016 at 15:36, Alessandro De Maria >> <[email protected] <mailto:[email protected]>> >> wrote: >> >> Hi Martin, this is the output from the id1 host: >> >> certutil -L -d /etc/httpd/alias/ >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> Signing-Cert u,u,u >> ipaCert u,u,u >> Server-Cert u,u,u >> PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM> IPA CA >> CT,C,C >> >> >> looks just like you suggested. Any other suggestion? >> >> On 7 November 2016 at 10:56, Martin Babinsky <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 11/04/2016 04:52 PM, Alessandro De Maria wrote: >> >> Hello, >> >> I have a FreeIPA installation that is working very nicely, >> we already >> have configured many hosts and so far we are quite happy >> with it. >> >> I was trying to connect Ansible to fetch hosts from FreeIPA >> using the >> freeipa.py script >> (https://github.com/ansible/ansible/blob/devel/contrib/inven >> tory/freeipa.py >> <https://github.com/ansible/ansible/blob/devel/contrib/inven >> tory/freeipa.py>) >> >> >> Unfortunately when I run it, I get the following: >> >> *ipa: ERROR: cert validation failed for >> "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM >> <http://PROD.xxxxxxxx.COM> >> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) >> Peer's >> certificate issuer has been marked as not trusted by the >> user.)* >> *ipa: ERROR: cert validation failed for >> "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM >> <http://PROD.xxxxxxxx.COM> >> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) >> Peer's >> certificate issuer has been marked as not trusted by the >> user.)* >> *Traceback (most recent call last):* >> * File "./freeipa.py", line 82, in <module>* >> * api = initialize()* >> * File "./freeipa.py", line 17, in initialize* >> * api.Backend.rpcclient.connect()* >> * File >> "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line >> 66, >> in connect* >> * conn = self.create_connection(*args, **kw)* >> * File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", >> line 939, in >> create_connection* >> * error=', '.join(urls))* >> *ipalib.errors.NetworkError: cannot connect to 'any of the >> configured >> servers': https://id1.prod.**xxxxxxxx**.com/ipa/json, >> https://id2.prod.**xxxxxxxx**.com/ipa/json* >> >> >> If I curl the URL, it works just fine ( I imported the CA >> Certificate in >> the system directory /etc/ssl/certs). >> >> I have run `openssl s_client` connect and downloaded the >> remote >> certificate locally, then I run: >> >> # openssl verify cert.pem >> # *id1.prod.**xxxxxxxx**.com.pem*: OK >> >> >> Would you help me figure out what's going on? >> >> >> >> -- >> Alessandro De Maria >> [email protected] >> <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>> >> >> >> >> Hi Alessandro, >> >> this error can mean that the CA certificate in IPA NSS database >> has wrong trust flags set. Please make sure that there is IPA CA >> certificate present on /etc/httpd/alias and it has trust flags >> CT,C,C like this: >> >> # certutil -L -d /etc/httpd/alias/ >> >> Certificate Nickname >> Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> ipaCert u,u,u >> Server-Cert u,u,u >> <$REALM> IPA CA >> CT,C,C >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> <https://www.redhat.com/mailman/listinfo/freeipa-users> >> Go to http://freeipa.org for more info on the project >> >> >> >> >> -- >> Alessandro De Maria >> [email protected] <mailto:[email protected]> >> >> >> >> >> -- >> Alessandro De Maria >> [email protected] <mailto:[email protected]> >> > > Alessandro, > > I have just realized that this may be client-side problem. On the executor > you may need to import CA certificate from IPA server to local > /etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file. > > Or you can just enroll the node as IPA client and it will set up all this > stuff for you. > > -- > Martin^3 Babinsky > -- Alessandro De Maria [email protected]
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
