Ipa cert-show is working now after copying the certificates, thanks. The error I get is: Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
I have attached the full log with debug enabled, it complains about the certificate added for HTTP: * About to connect() to masterGOOD.ipa.testad.local port 443 (#0) * Trying 192.168.107.171... * Connected to masterGOOD.ipa.testad.local (192.168.107.171) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/ipa/ca.crt CApath: none * Certificate is signed by an untrusted issuer: 'CN=company - Secure Server CA 1 - G2,DC=svs,DC=company,DC=org' <---------------- this CA was added by me because is the CA of the cert for HTTPD * NSS error -8172 * Expire cleared * Closing connection #0 libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates 2019-01-10T11:48:57Z ERROR Joining realm failed: XML-RPC CALL: The certificates I have: [root@masterWRONG ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u CN=masterWRONG.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX u,u,u <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterWRONG.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterWRONG.ipa.testad.local (added by me) [root@masterGOOD ipa]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CN=masterGOOD.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX CTu,Cu,Cu <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterGOOD.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterGOOD.ipa.testad.local (added by me) Thanks & Regards. -----Original Message----- From: Florence Blanc-Renaud <f...@redhat.com> Sent: Thursday, January 10, 2019 10:03 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>; Rob Crittenden <rcrit...@redhat.com> Cc: SOLER SANGUESA Miguel <sol...@unicc.org> Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool On 1/9/19 4:21 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote: > Hello, > > Now it works and it shows the real problem I have. I have 2 master, I have > changed the HTTP certificate on both (using ipa-cacert-manage, > ipa-certupdate and ipa-server-certinstall as the manual says), but I one of > them has som problems: > [root@masterWRONG ~]# python2 ipa-checkcerts.py > ipa: INFO: IPA version 4.6.4-10.el7 > IPA version 4.6.4-10.el7 > ipa: INFO: Check CA status > Check CA status > ipa: INFO: Check tracking > Check tracking > ipa: INFO: Check NSS trust > Check NSS trust > ICC-root not found, assuming 3rd party ICC-Inter not found, assuming > 3rd party > ipa: INFO: Check dates > Check dates > ipa: INFO: Checking certificates in CS.cfg Checking certificates in > CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, > assuming 3rd party > ipa: INFO: Comparing certificates to requests in LDAP Comparing > certificates to requests in LDAP > ipa: INFO: Checking RA certificate > Checking RA certificate > ipa: INFO: Checking authorities > Checking authorities > ipa: INFO: Checking host keytab > Checking host keytab > ipa: INFO: Validating certificates > Validating certificates > ipa: INFO: Checking renewal master > Checking renewal master > ipa: INFO: End-to-end cert API test > End-to-end cert API test > ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) > ra.get_certificate(): EXCEPTION (Invalid Credential.) > ipa: INFO: Checking permissions and ownership Checking permissions and > ownership > ipa: INFO: Failures: > Failures: > ipa: INFO: RA agent description does not match > 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA > RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate > Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected RA > agent description does not match 2;268304389;CN=Certificate > Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and > 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA > RA,O=IPA.TESTAD.LOCAL expected > ipa: INFO: cert-show of 1 failed: Certificate operation cannot be > completed: EXCEPTION (Invalid Credential.) cert-show of 1 failed: > Certificate operation cannot be completed: EXCEPTION (Invalid > Credential.) > ipa: INFO: Warnings: > Warnings: > ipa: INFO: Unknown certmonger ids: 20170817094736 Unknown certmonger > ids: 20170817094736 > > The certificates that complains: > [root@masterGOOD ~]# ipa cert-show 2 > Issuing CA: ipa > Certificate: MII.... > Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL > Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL > Not Before: Mon Jan 30 10:52:18 2017 UTC > Not After: Sun Jan 20 10:52:18 2019 UTC > Serial number: 2 > Serial number (hex): 0x2 > Revoked: False > [root@masterGOOD ~]# ipa cert-show 7 > Issuing CA: ipa > Certificate: MII.... > Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL > Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL > Not Before: Mon Jan 30 10:53:02 2017 UTC > Not After: Sun Jan 20 10:53:02 2019 UTC > Serial number: 7 > Serial number (hex): 0x7 > Revoked: False > [root@masterGOOD ~]# ipa cert-show 268304389 > Issuing CA: ipa > Certificate: MIID.... > Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL > Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL > Not Before: Mon Dec 24 07:24:20 2018 UTC > Not After: Sun Dec 13 07:24:20 2020 UTC > Serial number: 268304389 > Serial number (hex): 0xFFE0005 > Revoked: False > > On the other master I get: > [root@masterGOOD ~]# python2 ipa-checkcerts.py > ipa: INFO: IPA version 4.6.4-10.el7 > IPA version 4.6.4-10.el7 > ipa: INFO: Check CA status > Check CA status > ipa: INFO: Check tracking > Check tracking > ipa: INFO: Check NSS trust > Check NSS trust > ICC-root not found, assuming 3rd party ICC-Inter not found, assuming > 3rd party > ipa: INFO: Check dates > Check dates > ipa: INFO: Checking certificates in CS.cfg Checking certificates in > CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, > assuming 3rd party > ipa: INFO: Comparing certificates to requests in LDAP Comparing > certificates to requests in LDAP > ipa: INFO: Checking RA certificate > Checking RA certificate > ipa: INFO: Checking authorities > Checking authorities > ipa: INFO: Checking host keytab > Checking host keytab > ipa: INFO: Validating certificates > Validating certificates > ipa: INFO: Checking renewal master > Checking renewal master > ipa: INFO: End-to-end cert API test > End-to-end cert API test > ipa: INFO: Checking permissions and ownership Checking permissions and > ownership > ipa: INFO: Failures: > Failures: > ipa: INFO: Unable to find request for serial 268304389 Unable to find > request for serial 268304389 > ipa: INFO: Unable to find request for serial 268304388 Unable to find > request for serial 268304388 > ipa: INFO: Unable to find request for serial 268304391 Unable to find > request for serial 268304391 > ipa: INFO: Unable to find request for serial 268304390 Unable to find > request for serial 268304390 > ipa: INFO: Unable to find request for serial 268304392 Unable to find > request for serial 268304392 > ipa: INFO: Warnings: > Warnings: > ipa: INFO: Unknown certmonger ids: 20170817101613 Unknown certmonger > ids: 20170817101613 > > Where the serials correspond the following certs: > [root@masterGOOD ~]# ipa cert-show 268304389 > Issuing CA: ipa > Certificate: MI.... > Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL > Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL > Not Before: Mon Dec 24 07:24:20 2018 UTC > Not After: Sun Dec 13 07:24:20 2020 UTC > Serial number: 268304389 > Serial number (hex): 0xFFE0005 > Revoked: False > [root@masterGOOD ~]# ipa cert-show 268304388 > Issuing CA: ipa > Certificate: MII.... > Subject: CN=CA Audit,O=IPA.TESTAD.LOCAL > Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL > Not Before: Mon Dec 24 07:25:10 2018 UTC > Not After: Sun Dec 13 07:25:10 2020 UTC > Serial number: 268304388 > Serial number (hex): 0xFFE0004 > Revoked: False > [root@masterGOOD ~]# ipa cert-show 268304391 > Issuing CA: ipa > Certificate: MII.... > Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL > Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL > Not Before: Mon Dec 24 07:25:00 2018 UTC > Not After: Sun Dec 13 07:25:00 2020 UTC > Serial number: 268304391 > Serial number (hex): 0xFFE0007 > Revoked: False > [root@masterGOOD ~]# ipa cert-show 268304390 > Issuing CA: ipa > Certificate: MII.... > Subject: CN=CA Subsystem,O=IPA.TESTAD.LOCAL > Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL > Not Before: Mon Dec 24 07:24:41 2018 UTC > Not After: Sun Dec 13 07:24:41 2020 UTC > Serial number: 268304390 > Serial number (hex): 0xFFE0006 > Revoked: False > [root@masterGOOD ~]# ipa cert-show 268304392 > Issuing CA: ipa > Certificate: MII.... > Subject: CN=masterGOOD.ipa.testad.local,O=IPA.TESTAD.LOCAL > Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL > Not Before: Tue Dec 25 07:24:07 2018 UTC > Not After: Mon Dec 14 07:24:07 2020 UTC > Serial number: 268304392 > Serial number (hex): 0xFFE0008 > Revoked: False > > I've checked that the following files are different on the 2 masters: > /var/lib/ipa/ra-agent.key > /var/lib/ipa/ra-agent.pem > > It has been renewed on masterGOOD but not on masterWRONG: You can manually copy ra-agent.key and ra-agent.pem from masterGOOD to masterWRONG (make a backup first of the files on masterWRONG). This should solve the 'ipa cert-show' issue on masterWRONG. > [root@masterWRONG ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout > | egrep "Serial|Not" > Serial Number: 7 (0x7) > Not Before: Jan 30 10:53:02 2017 GMT > Not After : Jan 20 10:53:02 2019 GMT [root@masterGOOD ~]# > openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" > Serial Number: 268304389 (0xffe0005) > Not Before: Dec 24 07:24:20 2018 GMT > Not After : Dec 13 07:24:20 2020 GMT > > When I execute "ipa cert-show" on masterWRONG I get the following error: > ipa: ERROR: Certificate operation cannot be completed: EXCEPTION > (Invalid Credential.) > > I have added a RHEL 7 client to the domain, but I can not add RHEL 6 > clients. The CA master was masterWRONG and I have changed to > masterGOOD with the procedure explained on > https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Maste > r But it still can not add RHEL 6 on the domain. Which error do you see when trying to add a RHEL6 client to the domain? Please provide ipaclient-install.log. HTH, flo > > How can I fix the issue? Is that happening because I changed the auto-signed > HTTP certificate to a 3rd party certificate? > > Thanks & Regards. > > > > -----Original Message----- > From: Rob Crittenden <rcrit...@redhat.com> > Sent: Thursday, January 03, 2019 21:22 > To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> > Cc: SOLER SANGUESA Miguel <sol...@unicc.org> > Subject: Re: [Freeipa-users] Re: Testing requested - certificate > checking tool > > Rob Crittenden via FreeIPA-users wrote: >> SOLER SANGUESA Miguel via FreeIPA-users wrote: >>> Hello, >>> >>> >>> >>> I have run the tool on an environment where I’ve installed my own >>> certificate for HTTPS (following this tutorial: >>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LD >>> A P), and it complains when find the root certificate of my >>> certificate: >>> >>> # python2 ipa-checkcerts.py >>> >>> ipa: INFO: IPA version 4.6.4-10.el7 >>> >>> IPA version 4.6.4-10.el7 >>> >>> ipa: INFO: Check CA status >>> >>> Check CA status >>> >>> ipa: INFO: Check tracking >>> >>> Check tracking >>> >>> ipa: INFO: Check NSS trust >>> >>> Check NSS trust >>> >>> Traceback (most recent call last): >>> >>> File "ipa-checkcerts.py", line 931, in <module> >>> >>> sys.exit(c.run()) >>> >>> File "ipa-checkcerts.py", line 190, in run >>> >>> self.check_trust() >>> >>> File "ipa-checkcerts.py", line 439, in check_trust >>> >>> expected = expected_trust[nickname] >>> >>> KeyError: 'ICC-root' >>> >>> >>> >>> Is this normal? >> >> No, I don't think I ever tested this scenario. I'll take a look. >> >> I did confirm it also fails if you install CA-les. > > I reproduced the error and worked around it. It should work now. > > rob > >> >>> Because I have tried to add a RHEL 6 client and I get the error: >>> >>> " Successfully retrieved CA cert >>> >>> Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL >>> >>> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL >>> >>> Valid From: Mon Jan 30 10:52:18 2017 UTC >>> >>> Valid Until: Fri Jan 30 10:52:18 2037 UTC >>> >>> >>> >>> Joining realm failed: libcurl failed to execute the HTTP POST >>> transaction. Peer certificate cannot be authenticated with known CA >>> certificates"it is by design to provide >> >> Use ipa-cacert-manage to install the CA of the 3rd party certs you added. >> >> rob >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-us...@lists.fedo >> r >> ahosted.org >> > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor > ahosted.org >
ipaclient-install.log
Description: ipaclient-install.log
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org