Hi Florence,

Thanks for your update.

Tried copying the ca.crt file to /et/ipa and the installation went fine.

Thanks and Regards,
Alka Murali

On Mon, Jul 31, 2017 at 3:58 PM, Florence Blanc-Renaud <f...@redhat.com>
wrote:

> On 07/31/2017 03:38 AM, Alka Murali via FreeIPA-users wrote:
>
>> Hello Florence,
>>
>> I have checked the output for the ldapsearch command and I can see the
>> IPA CA as well as the third party CA on my /etc/ipa/ca.crt file on my IPA
>> Server.
>>
>> Even I tried installing the client by giving the option ca-cert-file=""
>> with my ca.crt file in IPA Server copied  locally to my IPA Client in one
>> path. However, it was still giving the certificate as untrusted. Is there
>> any issue in enrolling IPA Client Version 3.3 with IPA Server version 4.4
>> with third part Certificate installed? If I use self-sgined CA of IPA
>> Server alone, the enrolment is carried on successfully.
>>
>> Awaiting your reply.
>>
>> Thanks and Regards,
>> Alka Murali
>>
>> Hi,
>
> IPA client 3.3 does not support installation with multiple CA certs (see
> BZ 1457402 [1]). In your case, as you installed IPA server with an embedded
> CA and then changed the HTTP and LDAP certificates with 3rd-part certs, you
> end up with 2 CAs (the one embedded in IPA and the 3rd part CA), and the
> tool ipa-client-install is not able to download both.
>
> You can try to follow this note: How to use a certificate from a third
> party Certificate Authority (CA) with Apache on IdM server [2] or the
> following procedure:
> - copy /etc/ipa/ca.crt from the master to the client
> - run ipa-client-install without the --ca-cert-file option. In this case,
> ipa-client-install reuses the existing /etc/ipa/ca.crt file and should
> complete successfully.
>
> Flo
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1457402
> [2] https://access.redhat.com/solutions/2090871
>
>
> On Fri, Jul 28, 2017 at 10:17 PM, Florence Blanc-Renaud <f...@redhat.com
>> <mailto:f...@redhat.com>> wrote:
>>
>>     On 07/28/2017 03:51 AM, Alka Murali via FreeIPA-users wrote:
>>
>>         I Cannot enrol and do the ipa-client-install on Ubuntu 14.04 to
>>         IPA Server (4.4). My IPA Server is having third party
>>         certificates for HTTP/LDAP. I have installed it using the
>>         suggestions in
>>
>>         https://www.freeipa.org/page/Using_3rd_part_certificates_for
>> _HTTP/LDAP
>>         <https://www.freeipa.org/page/Using_3rd_part_certificates_fo
>> r_HTTP/LDAP>
>>
>>         Other version of Ubuntu like 16.04 is enrolled fine.
>>
>>         Here is the error message that I get during the installation
>>
>>         ----
>>         cert validation failed for
>>         "CN=*.*.*,O=*.*,((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
>>         issuer has been marked as not trusted by the user.)
>>         Cannot connect to the server due to generic error: cannot
>>         connect to 'https://*.*.*.*/ipa/xml
>>         <https://%2A.%2A.%2A.%2A/ipa/xml>': [Errno -8172]
>>         (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
>>         marked as not trusted by the user.
>>         Installation failed. Rolling back changes.
>>         certmonger failed to start: [Errno 2] No such file or directory:
>>         '/var/run/ipa/services.list'
>>         certmonger failed to stop: [Errno 2] No such file or directory:
>>         '/var/run/ipa/services.list'
>>         Unenrolling client from IPA server
>>         Unenrolling host failed: Error getting default Kerberos realm:
>>         Configuration file does not specify default realm.
>>
>>         Removing Kerberos service principals from /etc/krb5.keytab
>>         Disabling client Kerberos and LDAP configurations
>>         Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
>>         to /etc/sssd/sssd.conf.deleted
>>         SSSD service could not be stopped
>>         Restoring client configuration files
>>         nscd daemon is not installed, skip configuration
>>         nslcd daemon is not installed, skip configuration
>>         Client uninstall complete.
>>         -----
>>
>>         Is it due to my third part cert? If so, please provide a
>>         suggestion so that I can enrol my Ubuntu Client to my IPA Server.
>>
>>         I am attaching the logs for your reference.
>>
>>
>>
>>         _______________________________________________
>>         FreeIPA-users mailing list --
>>         freeipa-users@lists.fedorahosted.org
>>         <mailto:freeipa-users@lists.fedorahosted.org>
>>         To unsubscribe send an email to
>>         freeipa-users-le...@lists.fedorahosted.org
>>         <mailto:freeipa-users-le...@lists.fedorahosted.org>
>>
>>
>>
>>     Hi,
>>
>>     from the logs we can see that the client retrieved IPA CA cert:
>>     2017-07-27T07:28:25Z INFO Successfully retrieved CA cert
>>          Subject:     CN=Certificate Authority,O=*.*.*
>>          Issuer:      CN=Certificate Authority,O=*.*.*
>>          Valid From:  Tue Apr 11 01:18:51 2017 UTC
>>          Valid Until: Sat Apr 11 01:18:51 2037 UTC
>>     but there is no trace of the 3rd-part CA which should also be
>>     displayed here.
>>
>>     If there is a file /etc/ipa/ca.crt left on the client after the
>>     unsuccessful installation, can you check if it also contains the 3rd
>>     part CA cert (ie the one that you added using ipa-cacert-manage)? If
>>     not, you can check on the IPA server with (replace BASEDN with your
>>     basedn that can be found in /etc/ipa/default.conf):
>>     $ ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,$BASEDN
>>
>>     The output should contain an entry corresponding to the 3rd-part CA
>>     cert. If it is missing, make sure that you run ipa-cacert-manage
>>     install and ipa-certupdate to load the 3rd part CA before enrolling
>>     the client (ipa-cacert-manage on one of IPA servers, ipa-certupdate
>>     on all server/replicas/clients).
>>
>>     HTH,
>>     Flo.
>>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to