On 07/31/2017 03:38 AM, Alka Murali via FreeIPA-users wrote:
Hello Florence,

I have checked the output for the ldapsearch command and I can see the IPA CA as well as the third party CA on my /etc/ipa/ca.crt file on my IPA Server.

Even I tried installing the client by giving the option ca-cert-file="" with my ca.crt file in IPA Server copied locally to my IPA Client in one path. However, it was still giving the certificate as untrusted. Is there any issue in enrolling IPA Client Version 3.3 with IPA Server version 4.4 with third part Certificate installed? If I use self-sgined CA of IPA Server alone, the enrolment is carried on successfully.

Awaiting your reply.

Thanks and Regards,
Alka Murali

Hi,

IPA client 3.3 does not support installation with multiple CA certs (see BZ 1457402 [1]). In your case, as you installed IPA server with an embedded CA and then changed the HTTP and LDAP certificates with 3rd-part certs, you end up with 2 CAs (the one embedded in IPA and the 3rd part CA), and the tool ipa-client-install is not able to download both.

You can try to follow this note: How to use a certificate from a third party Certificate Authority (CA) with Apache on IdM server [2] or the following procedure:
- copy /etc/ipa/ca.crt from the master to the client
- run ipa-client-install without the --ca-cert-file option. In this case, ipa-client-install reuses the existing /etc/ipa/ca.crt file and should complete successfully.

Flo

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1457402
[2] https://access.redhat.com/solutions/2090871


On Fri, Jul 28, 2017 at 10:17 PM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> wrote:

    On 07/28/2017 03:51 AM, Alka Murali via FreeIPA-users wrote:

        I Cannot enrol and do the ipa-client-install on Ubuntu 14.04 to
        IPA Server (4.4). My IPA Server is having third party
        certificates for HTTP/LDAP. I have installed it using the
        suggestions in

        https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
        <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>

        Other version of Ubuntu like 16.04 is enrolled fine.

        Here is the error message that I get during the installation

        ----
        cert validation failed for
        "CN=*.*.*,O=*.*,((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
        issuer has been marked as not trusted by the user.)
        Cannot connect to the server due to generic error: cannot
        connect to 'https://*.*.*.*/ipa/xml
        <https://%2A.%2A.%2A.%2A/ipa/xml>': [Errno -8172]
        (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
        marked as not trusted by the user.
        Installation failed. Rolling back changes.
        certmonger failed to start: [Errno 2] No such file or directory:
        '/var/run/ipa/services.list'
        certmonger failed to stop: [Errno 2] No such file or directory:
        '/var/run/ipa/services.list'
        Unenrolling client from IPA server
        Unenrolling host failed: Error getting default Kerberos realm:
        Configuration file does not specify default realm.

        Removing Kerberos service principals from /etc/krb5.keytab
        Disabling client Kerberos and LDAP configurations
        Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
        to /etc/sssd/sssd.conf.deleted
        SSSD service could not be stopped
        Restoring client configuration files
        nscd daemon is not installed, skip configuration
        nslcd daemon is not installed, skip configuration
        Client uninstall complete.
        -----

        Is it due to my third part cert? If so, please provide a
        suggestion so that I can enrol my Ubuntu Client to my IPA Server.

        I am attaching the logs for your reference.



        _______________________________________________
        FreeIPA-users mailing list --
        freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>
        To unsubscribe send an email to
        freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>


    Hi,

    from the logs we can see that the client retrieved IPA CA cert:
    2017-07-27T07:28:25Z INFO Successfully retrieved CA cert
         Subject:     CN=Certificate Authority,O=*.*.*
         Issuer:      CN=Certificate Authority,O=*.*.*
         Valid From:  Tue Apr 11 01:18:51 2017 UTC
         Valid Until: Sat Apr 11 01:18:51 2037 UTC
    but there is no trace of the 3rd-part CA which should also be
    displayed here.

    If there is a file /etc/ipa/ca.crt left on the client after the
    unsuccessful installation, can you check if it also contains the 3rd
    part CA cert (ie the one that you added using ipa-cacert-manage)? If
    not, you can check on the IPA server with (replace BASEDN with your
    basedn that can be found in /etc/ipa/default.conf):
    $ ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,$BASEDN

    The output should contain an entry corresponding to the 3rd-part CA
    cert. If it is missing, make sure that you run ipa-cacert-manage
    install and ipa-certupdate to load the 3rd part CA before enrolling
    the client (ipa-cacert-manage on one of IPA servers, ipa-certupdate
    on all server/replicas/clients).

    HTH,
    Flo.




_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to