[Freeipa] [Bug 1635568] [NEW] freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert
Public bug reported: Ubuntu version - Ubuntu 14.04.5 LTS freeipa-client package version - 3.3.4-0ubuntu3.1 What is expected: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Discovery was successful! Client hostname: ip-10-5-0-73.eu-west-1.compute.internal Realm: ID.DOMAIN.COM DNS Domain: id.domain.com IPA Server: directory.id.domain.com BaseDN: dc=id,dc=domain,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: enroll.user Password for enroll.u...@id.domain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ID.DOMAIN.COM Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM Valid From: Wed Oct 19 14:54:08 2016 UTC Valid Until: Sun Oct 19 14:54:08 2036 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Enrolled in IPA realm ID.DOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM trying https://directory.id.domain.com/ipa/json Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to json server 'https://directory.id.domain.com/ipa/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring id.domain.com as NIS domain. Client configuration complete. What happend instead: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Using existing certificate '/etc/ipa/ca.crt'. Discovery was successful! Hostname: freeradius.id.domain.com Realm: ID.DOMAIN.COM DNS Domain: id.domain.com IPA Server: directory2.id.domain.com BaseDN: dc=id,dc=domain,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: enroll.user Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for enroll.u...@id.domain.com: Enrolled in IPA realm ID.DOMAIN.COM Created /etc/ipa/default.conf New SSSD
[Freeipa] [Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert
Hello, Timo! Sorry, forgot to mention in "What is expected" tested Ubuntu version. "What is expected" ipa-client-install was tested on Ubuntu 16.04 clients, and it worked. The problem is, that 3/4 of our server infrastructure is running Ubuntu 14.04. We're planning to gradually move to 16.04, but for now, I just wanted to know, if it is possible to use 3rd party certificates with FreeIPA and Ubuntu 14.04 clients. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1635568 Title: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert Status in freeipa package in Ubuntu: Incomplete Bug description: Ubuntu version - Ubuntu 14.04.5 LTS freeipa-client package version - 3.3.4-0ubuntu3.1 What is expected: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Discovery was successful! Client hostname: ip-10-5-0-73.eu-west-1.compute.internal Realm: ID.DOMAIN.COM DNS Domain: id.domain.com IPA Server: directory.id.domain.com BaseDN: dc=id,dc=domain,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: enroll.user Password for enroll.u...@id.domain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ID.DOMAIN.COM Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM Valid From: Wed Oct 19 14:54:08 2016 UTC Valid Until: Sun Oct 19 14:54:08 2036 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Enrolled in IPA realm ID.DOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM trying https://directory.id.domain.com/ipa/json Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to json server 'https://directory.id.domain.com/ipa/json' Could not update DNS SSHFP recor
