Hello Florence,

I have checked the output for the ldapsearch command and I can see the IPA
CA as well as the third party CA on my /etc/ipa/ca.crt file on my IPA
Server.

Even I tried installing the client by giving the option ca-cert-file=""
with my ca.crt file in IPA Server copied  locally to my IPA Client in one
path. However, it was still giving the certificate as untrusted. Is there
any issue in enrolling IPA Client Version 3.3 with IPA Server version 4.4
with third part Certificate installed? If I use self-sgined CA of IPA
Server alone, the enrolment is carried on successfully.

Awaiting your reply.

Thanks and Regards,
Alka Murali

On Fri, Jul 28, 2017 at 10:17 PM, Florence Blanc-Renaud <f...@redhat.com>
wrote:

> On 07/28/2017 03:51 AM, Alka Murali via FreeIPA-users wrote:
>
>> I Cannot enrol and do the ipa-client-install on Ubuntu 14.04 to IPA
>> Server (4.4). My IPA Server is having third party certificates for
>> HTTP/LDAP. I have installed it using the suggestions in
>>
>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>
>> Other version of Ubuntu like 16.04 is enrolled fine.
>>
>> Here is the error message that I get during the installation
>>
>> ----
>> cert validation failed for "CN=*.*.*,O=*.*,((SEC_ERROR_UNTRUSTED_ISSUER)
>> Peer's certificate issuer has been marked as not trusted by the user.)
>> Cannot connect to the server due to generic error: cannot connect to
>> 'https://*.*.*.*/ipa/xml <https://%2A.%2A.%2A.%2A/ipa/xml>': [Errno
>> -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
>> marked as not trusted by the user.
>> Installation failed. Rolling back changes.
>> certmonger failed to start: [Errno 2] No such file or directory:
>> '/var/run/ipa/services.list'
>> certmonger failed to stop: [Errno 2] No such file or directory:
>> '/var/run/ipa/services.list'
>> Unenrolling client from IPA server
>> Unenrolling host failed: Error getting default Kerberos realm:
>> Configuration file does not specify default realm.
>>
>> Removing Kerberos service principals from /etc/krb5.keytab
>> Disabling client Kerberos and LDAP configurations
>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
>> /etc/sssd/sssd.conf.deleted
>> SSSD service could not be stopped
>> Restoring client configuration files
>> nscd daemon is not installed, skip configuration
>> nslcd daemon is not installed, skip configuration
>> Client uninstall complete.
>> -----
>>
>> Is it due to my third part cert? If so, please provide a suggestion so
>> that I can enrol my Ubuntu Client to my IPA Server.
>>
>> I am attaching the logs for your reference.
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
> Hi,
>
> from the logs we can see that the client retrieved IPA CA cert:
> 2017-07-27T07:28:25Z INFO Successfully retrieved CA cert
>     Subject:     CN=Certificate Authority,O=*.*.*
>     Issuer:      CN=Certificate Authority,O=*.*.*
>     Valid From:  Tue Apr 11 01:18:51 2017 UTC
>     Valid Until: Sat Apr 11 01:18:51 2037 UTC
> but there is no trace of the 3rd-part CA which should also be displayed
> here.
>
> If there is a file /etc/ipa/ca.crt left on the client after the
> unsuccessful installation, can you check if it also contains the 3rd part
> CA cert (ie the one that you added using ipa-cacert-manage)? If not, you
> can check on the IPA server with (replace BASEDN with your basedn that can
> be found in /etc/ipa/default.conf):
> $ ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,$BASEDN
>
> The output should contain an entry corresponding to the 3rd-part CA cert.
> If it is missing, make sure that you run ipa-cacert-manage install and
> ipa-certupdate to load the 3rd part CA before enrolling the client
> (ipa-cacert-manage on one of IPA servers, ipa-certupdate on all
> server/replicas/clients).
>
> HTH,
> Flo.
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to