So, what version should work, or what provides the output in "what is
expected"? Tried xenial or newer?
** Changed in: freeipa (Ubuntu)
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1635568
Title:
freeipa-client - Can't enroll a client if server has external CA certs
in addition to self signed CA cert
Status in freeipa package in Ubuntu:
Incomplete
Bug description:
Ubuntu version - Ubuntu 14.04.5 LTS
freeipa-client package version - 3.3.4-0ubuntu3.1
What is expected:
root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir
Discovery was successful!
Client hostname: ip-10-5-0-73.eu-west-1.compute.internal
Realm: ID.DOMAIN.COM
DNS Domain: id.domain.com
IPA Server: directory.id.domain.com
BaseDN: dc=id,dc=domain,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please
check that 123 UDP port is opened.
User authorized to enroll computers: enroll.user
Password for enroll.u...@id.domain.com:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=ID.DOMAIN.COM
Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM
Valid From: Wed Oct 19 14:54:08 2016 UTC
Valid Until: Sun Oct 19 14:54:08 2036 UTC
Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP
Network,O=AddTrust AB,C=SE
Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP
Network,O=AddTrust AB,C=SE
Valid From: Tue May 30 10:48:38 2000 UTC
Valid Until: Sat May 30 10:48:38 2020 UTC
Subject: CN=COMODO RSA Certification Authority,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP
Network,O=AddTrust AB,C=SE
Valid From: Tue May 30 10:48:38 2000 UTC
Valid Until: Sat May 30 10:48:38 2020 UTC
Subject: CN=COMODO RSA Certification Authority,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
Valid From: Tue Jan 19 00:00:00 2010 UTC
Valid Until: Mon Jan 18 23:59:59 2038 UTC
Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
Valid From: Wed Feb 12 00:00:00 2014 UTC
Valid Until: Sun Feb 11 23:59:59 2029 UTC
Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP
Network,O=AddTrust AB,C=SE
Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP
Network,O=AddTrust AB,C=SE
Valid From: Tue May 30 10:48:38 2000 UTC
Valid Until: Sat May 30 10:48:38 2020 UTC
Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
Valid From: Wed Feb 12 00:00:00 2014 UTC
Valid Until: Sun Feb 11 23:59:59 2029 UTC
Subject: CN=COMODO RSA Certification Authority,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
Valid From: Tue Jan 19 00:00:00 2010 UTC
Valid Until: Mon Jan 18 23:59:59 2038 UTC
Enrolled in IPA realm ID.DOMAIN.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM
trying https://directory.id.domain.com/ipa/json
Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json'
Forwarding 'ca_is_enabled' to json server
'https://directory.id.domain.com/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to json server
'https://directory.id.domain.com/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring id.domain.com as NIS domain.
Client configuration complete.
What happend instead:
root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir
Using existing certificate '/etc/ipa/ca.crt'.
Discovery was successful!
Hostname: freeradius.id.domain.com
Realm: ID.DOMAIN.COM
DNS Domain: id.domain.com
IPA Server: directory2.id.domain.com
BaseDN: dc=id,dc=domain,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: enroll.user
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please
check that 123 UDP port is opened.
Password for enroll.u...@id.domain.com:
Enrolled in IPA realm ID.DOMAIN.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM
cert validation failed for "CN=*.id.domain.com,OU=PositiveSSL
Wildcard,OU=Domain Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)
Connection to https://directory2.id.domain.com/ipa/xml failed with [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.
cert validation failed for "CN=*.id.domain.com,OU=PositiveSSL
Wildcard,OU=Domain Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)
Connection to https://directory.id.domain.com/ipa/xml failed with [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked
as not trusted by the user.
Cannot connect to the server due to generic error: cannot connect to
'Gettext('any of the configured servers', domain='ipa', localedir=None)':
https://directory2.id.domain.com/ipa/xml,
https://directory.id.domain.com/ipa/xml
Installation failed. Rolling back changes.
certmonger failed to start: Command '/usr/sbin/service certmonger start '
returned non-zero exit status 1
certmonger failed to stop: [Errno 2] No such file or directory:
'/var/run/ipa/services.list'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration
file does not specify default realm.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
SSSD service could not be stopped
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1635568/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
