On 07/28/2017 03:51 AM, Alka Murali via FreeIPA-users wrote:
I Cannot enrol and do the ipa-client-install on Ubuntu 14.04 to IPA Server 
(4.4). My IPA Server is having third party certificates for HTTP/LDAP. I have 
installed it using the suggestions in

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

Other version of Ubuntu like 16.04 is enrolled fine.

Here is the error message that I get during the installation

----
cert validation failed for "CN=*.*.*,O=*.*,((SEC_ERROR_UNTRUSTED_ISSUER) Peer's 
certificate issuer has been marked as not trusted by the user.)
Cannot connect to the server due to generic error: cannot connect to 
'https://*.*.*.*/ipa/xml <https://%2A.%2A.%2A.%2A/ipa/xml>': [Errno -8172] 
(SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted 
by the user.
Installation failed. Rolling back changes.
certmonger failed to start: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'
certmonger failed to stop: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration 
file does not specify default realm.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to 
/etc/sssd/sssd.conf.deleted
SSSD service could not be stopped
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
-----

Is it due to my third part cert? If so, please provide a suggestion so that I 
can enrol my Ubuntu Client to my IPA Server.

I am attaching the logs for your reference.



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi,

from the logs we can see that the client retrieved IPA CA cert:
2017-07-27T07:28:25Z INFO Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=*.*.*
    Issuer:      CN=Certificate Authority,O=*.*.*
    Valid From:  Tue Apr 11 01:18:51 2017 UTC
    Valid Until: Sat Apr 11 01:18:51 2037 UTC
but there is no trace of the 3rd-part CA which should also be displayed here.

If there is a file /etc/ipa/ca.crt left on the client after the unsuccessful installation, can you check if it also contains the 3rd part CA cert (ie the one that you added using ipa-cacert-manage)? If not, you can check on the IPA server with (replace BASEDN with your basedn that can be found in /etc/ipa/default.conf):
$ ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,$BASEDN

The output should contain an entry corresponding to the 3rd-part CA cert. If it is missing, make sure that you run ipa-cacert-manage install and ipa-certupdate to load the 3rd part CA before enrolling the client (ipa-cacert-manage on one of IPA servers, ipa-certupdate on all server/replicas/clients).

HTH,
Flo.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to