Thank you Rob and Martin, the correct place on Ubuntu seems to be: /etc/pki/nssdb/
This directory does not seem to be initialised by the *ipa-client-install* tool. Now my script still doesn't work, but offer brand new errors :) Thank you On 8 November 2016 at 14:55, Rob Crittenden <[email protected]> wrote: > Alessandro De Maria wrote: > > Hello Martin, > > > > still no luck unfortunately. > > > > The client is an ubuntu 14.04 server, and I believe it is enrolled > already. > > > > The /etc/ipa/ca.pem is correct and already installed, and I even added > > it to the /etc/ssl/certs directory (which is why my curl command in the > > first email does not complain) > > The client normally uses /etc/ipa/nssdb for NSS. I'm not sure how this > is handled on Ubuntu clients but you'll need to confirm that whatever > Ubuntu uses exists and has the IPA CA certificate installed. > > rob > > > > > Commands like /kinit/ work just fine, and I have never experienced a > > problem which would make me doubt of the enrollment of this client. > > > > > > I run the following commands: > > # mkdir /etc/ipa/nssdb > > # certutil -A -d /etc/ipa/nssdb -n 'PROD.XXXXXXXXX.COM > > <http://PROD.XXXXXXXXX.COM> IPA CA' -t CT,C,C -a < /etc/ipa/ca.crt > > # chmod +r /etc/ipa/nssdb/* > > # certutil -L -d /etc/ipa/nssdb > > > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > PROD.XXXXXXXX.COM <http://PROD.XXXXXXXX.COM> IPA CA > > CT,C,C > > > > But I am still unable to run the script. > > Is there anything else I need to do? Do I need to restart some > > components? Any log I could look into? > > > > Thank you > > > > > > On 8 November 2016 at 07:56, Martin Babinsky <[email protected] > > <mailto:[email protected]>> wrote: > > > > On 11/07/2016 04:45 PM, Alessandro De Maria wrote: > > > > Hi Martin, > > > > I tried from the host I am executing the script from, and I get: > > certutil -L -d /etc/httpd/alias/ > > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The > > certificate/key database is in an old, unsupported format. > > > > > > >From the FreeIPA server, as I said previously, I get: > > > > certutil -L -d /etc/httpd/alias/ > > > > Certificate Nickname > Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Signing-Cert > u,u,u > > ipaCert > u,u,u > > Server-Cert > u,u,u > > PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM> > > <http://prod.xxxxxxxxxxxxx.com/ > > <http://prod.xxxxxxxxxxxxx.com/>> IPA CA > > CT,C,C > > > > > > >From the FreeIPA server, I seem to be able to run the script, > so we are > > definitely on the right track. > > How do I get the /etc/httpd/alias/ in sync across these hosts? > can I > > copy it, or is there a way to regenerate it? > > > > Regards > > Alessandro > > > > On 7 November 2016 at 15:36, Alessandro De Maria > > <[email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>>> wrote: > > > > Hi Martin, this is the output from the id1 host: > > > > certutil -L -d /etc/httpd/alias/ > > > > Certificate Nickname > > Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Signing-Cert > > u,u,u > > ipaCert > > u,u,u > > Server-Cert > > u,u,u > > PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM> > > <http://PROD.XXXXXXXXXXXXX.COM> IPA CA > > CT,C,C > > > > > > looks just like you suggested. Any other suggestion? > > > > On 7 November 2016 at 10:56, Martin Babinsky > > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > > wrote: > > > > On 11/04/2016 04:52 PM, Alessandro De Maria wrote: > > > > Hello, > > > > I have a FreeIPA installation that is working very > > nicely, > > we already > > have configured many hosts and so far we are quite > happy > > with it. > > > > I was trying to connect Ansible to fetch hosts from > > FreeIPA > > using the > > freeipa.py script > > > > (https://github.com/ansible/ansible/blob/devel/contrib/ > inventory/freeipa.py > > <https://github.com/ansible/ansible/blob/devel/contrib/ > inventory/freeipa.py> > > > > <https://github.com/ansible/ansible/blob/devel/contrib/ > inventory/freeipa.py > > <https://github.com/ansible/ansible/blob/devel/contrib/ > inventory/freeipa.py>>) > > > > > > Unfortunately when I run it, I get the following: > > > > *ipa: ERROR: cert validation failed for > > "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM > > <http://PROD.xxxxxxxx.COM> > > <http://PROD.xxxxxxxx.COM> > > <http://PROD.xxxxxxxx.COM>" > > ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's > > certificate issuer has been marked as not trusted by > > the user.)* > > *ipa: ERROR: cert validation failed for > > "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM > > <http://PROD.xxxxxxxx.COM> > > <http://PROD.xxxxxxxx.COM> > > <http://PROD.xxxxxxxx.COM>" > > ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's > > certificate issuer has been marked as not trusted by > > the user.)* > > *Traceback (most recent call last):* > > * File "./freeipa.py", line 82, in <module>* > > * api = initialize()* > > * File "./freeipa.py", line 17, in initialize* > > * api.Backend.rpcclient.connect()* > > * File > > > > "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66, > > in connect* > > * conn = self.create_connection(*args, **kw)* > > * File > > "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", > > line 939, in > > create_connection* > > * error=', '.join(urls))* > > *ipalib.errors.NetworkError: cannot connect to 'any > > of the > > configured > > servers': https://id1.prod.**xxxxxxxx**. > com/ipa/json, > > https://id2.prod.**xxxxxxxx**.com/ipa/json* > > > > > > If I curl the URL, it works just fine ( I imported > > the CA > > Certificate in > > the system directory /etc/ssl/certs). > > > > I have run `openssl s_client` connect and downloaded > > the remote > > certificate locally, then I run: > > > > # openssl verify cert.pem > > # *id1.prod.**xxxxxxxx**.com.pem*: OK > > > > > > Would you help me figure out what's going on? > > > > > > > > -- > > Alessandro De Maria > > [email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>> > > <mailto:[email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>>> > > > > > > > > Hi Alessandro, > > > > this error can mean that the CA certificate in IPA NSS > > database > > has wrong trust flags set. Please make sure that there > > is IPA CA > > certificate present on /etc/httpd/alias and it has trust > > flags > > CT,C,C like this: > > > > # certutil -L -d /etc/httpd/alias/ > > > > Certificate Nickname > > Trust Attributes > > > > SSL,S/MIME,JAR/XPI > > > > ipaCert > > u,u,u > > Server-Cert > > u,u,u > > <$REALM> IPA CA > > CT,C,C > > > > -- > > Martin^3 Babinsky > > > > -- > > Manage your subscription for the Freeipa-users mailing > list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > <https://www.redhat.com/mailman/listinfo/freeipa-users > > <https://www.redhat.com/mailman/listinfo/freeipa-users>> > > Go to http://freeipa.org for more info on the project > > > > > > > > > > -- > > Alessandro De Maria > > [email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>> > > > > > > > > > > -- > > Alessandro De Maria > > [email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>> > > > > > > Alessandro, > > > > I have just realized that this may be client-side problem. On the > > executor you may need to import CA certificate from IPA server to > > local /etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file. > > > > Or you can just enroll the node as IPA client and it will set up all > > this stuff for you. > > > > -- > > Martin^3 Babinsky > > > > > > > > > > -- > > Alessandro De Maria > > [email protected] <mailto:[email protected]> > > > > > > -- Alessandro De Maria [email protected]
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
