Ipa cert-show is working now after copying the certificates, thanks. The error I get is: Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
I have attached the full log with debug enabled, it complains about the
certificate added for HTTP:
* About to connect() to masterGOOD.ipa.testad.local port 443 (#0)
* Trying 192.168.107.171... * Connected to masterGOOD.ipa.testad.local
(192.168.107.171) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/ipa/ca.crt
CApath: none
* Certificate is signed by an untrusted issuer: 'CN=company - Secure Server CA
1 - G2,DC=svs,DC=company,DC=org' <---------------- this CA was added by me
because is the CA of the cert for HTTPD
* NSS error -8172
* Expire cleared
* Closing connection #0
libcurl failed to execute the HTTP POST transaction. Peer certificate cannot
be authenticated with known CA certificates
2019-01-10T11:48:57Z ERROR Joining realm failed: XML-RPC CALL:
The certificates I have:
[root@masterWRONG ~]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
CN=masterWRONG.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX u,u,u
<------- the one I added it
IPA.TESTAD.LOCAL IPA CA CT,C,C
ICC-root C,, <--- root
certificate of CN=masterWRONG.ipa.testad.local (added by me)
ICC-Inter C,, <--- CA
added of CN=masterWRONG.ipa.testad.local (added by me)
[root@masterGOOD ipa]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=masterGOOD.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX CTu,Cu,Cu
<------- the one I added it
IPA.TESTAD.LOCAL IPA CA CT,C,C
ICC-root C,, <--- root
certificate of CN=masterGOOD.ipa.testad.local (added by me)
ICC-Inter C,, <--- CA
added of CN=masterGOOD.ipa.testad.local (added by me)
Thanks & Regards.
-----Original Message-----
From: Florence Blanc-Renaud <f...@redhat.com>
Sent: Thursday, January 10, 2019 10:03
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>; Rob Crittenden
<rcrit...@redhat.com>
Cc: SOLER SANGUESA Miguel <sol...@unicc.org>
Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
On 1/9/19 4:21 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
> Hello,
>
> Now it works and it shows the real problem I have. I have 2 master, I have
> changed the HTTP certificate on both (using ipa-cacert-manage,
> ipa-certupdate and ipa-server-certinstall as the manual says), but I one of
> them has som problems:
> [root@masterWRONG ~]# python2 ipa-checkcerts.py
> ipa: INFO: IPA version 4.6.4-10.el7
> IPA version 4.6.4-10.el7
> ipa: INFO: Check CA status
> Check CA status
> ipa: INFO: Check tracking
> Check tracking
> ipa: INFO: Check NSS trust
> Check NSS trust
> ICC-root not found, assuming 3rd party ICC-Inter not found, assuming
> 3rd party
> ipa: INFO: Check dates
> Check dates
> ipa: INFO: Checking certificates in CS.cfg Checking certificates in
> CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found,
> assuming 3rd party
> ipa: INFO: Comparing certificates to requests in LDAP Comparing
> certificates to requests in LDAP
> ipa: INFO: Checking RA certificate
> Checking RA certificate
> ipa: INFO: Checking authorities
> Checking authorities
> ipa: INFO: Checking host keytab
> Checking host keytab
> ipa: INFO: Validating certificates
> Validating certificates
> ipa: INFO: Checking renewal master
> Checking renewal master
> ipa: INFO: End-to-end cert API test
> End-to-end cert API test
> ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.)
> ra.get_certificate(): EXCEPTION (Invalid Credential.)
> ipa: INFO: Checking permissions and ownership Checking permissions and
> ownership
> ipa: INFO: Failures:
> Failures:
> ipa: INFO: RA agent description does not match
> 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA
> RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate
> Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected RA
> agent description does not match 2;268304389;CN=Certificate
> Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and
> 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA
> RA,O=IPA.TESTAD.LOCAL expected
> ipa: INFO: cert-show of 1 failed: Certificate operation cannot be
> completed: EXCEPTION (Invalid Credential.) cert-show of 1 failed:
> Certificate operation cannot be completed: EXCEPTION (Invalid
> Credential.)
> ipa: INFO: Warnings:
> Warnings:
> ipa: INFO: Unknown certmonger ids: 20170817094736 Unknown certmonger
> ids: 20170817094736
>
> The certificates that complains:
> [root@masterGOOD ~]# ipa cert-show 2
> Issuing CA: ipa
> Certificate: MII....
> Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL
> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
> Not Before: Mon Jan 30 10:52:18 2017 UTC
> Not After: Sun Jan 20 10:52:18 2019 UTC
> Serial number: 2
> Serial number (hex): 0x2
> Revoked: False
> [root@masterGOOD ~]# ipa cert-show 7
> Issuing CA: ipa
> Certificate: MII....
> Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL
> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
> Not Before: Mon Jan 30 10:53:02 2017 UTC
> Not After: Sun Jan 20 10:53:02 2019 UTC
> Serial number: 7
> Serial number (hex): 0x7
> Revoked: False
> [root@masterGOOD ~]# ipa cert-show 268304389
> Issuing CA: ipa
> Certificate: MIID....
> Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL
> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
> Not Before: Mon Dec 24 07:24:20 2018 UTC
> Not After: Sun Dec 13 07:24:20 2020 UTC
> Serial number: 268304389
> Serial number (hex): 0xFFE0005
> Revoked: False
>
> On the other master I get:
> [root@masterGOOD ~]# python2 ipa-checkcerts.py
> ipa: INFO: IPA version 4.6.4-10.el7
> IPA version 4.6.4-10.el7
> ipa: INFO: Check CA status
> Check CA status
> ipa: INFO: Check tracking
> Check tracking
> ipa: INFO: Check NSS trust
> Check NSS trust
> ICC-root not found, assuming 3rd party ICC-Inter not found, assuming
> 3rd party
> ipa: INFO: Check dates
> Check dates
> ipa: INFO: Checking certificates in CS.cfg Checking certificates in
> CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found,
> assuming 3rd party
> ipa: INFO: Comparing certificates to requests in LDAP Comparing
> certificates to requests in LDAP
> ipa: INFO: Checking RA certificate
> Checking RA certificate
> ipa: INFO: Checking authorities
> Checking authorities
> ipa: INFO: Checking host keytab
> Checking host keytab
> ipa: INFO: Validating certificates
> Validating certificates
> ipa: INFO: Checking renewal master
> Checking renewal master
> ipa: INFO: End-to-end cert API test
> End-to-end cert API test
> ipa: INFO: Checking permissions and ownership Checking permissions and
> ownership
> ipa: INFO: Failures:
> Failures:
> ipa: INFO: Unable to find request for serial 268304389 Unable to find
> request for serial 268304389
> ipa: INFO: Unable to find request for serial 268304388 Unable to find
> request for serial 268304388
> ipa: INFO: Unable to find request for serial 268304391 Unable to find
> request for serial 268304391
> ipa: INFO: Unable to find request for serial 268304390 Unable to find
> request for serial 268304390
> ipa: INFO: Unable to find request for serial 268304392 Unable to find
> request for serial 268304392
> ipa: INFO: Warnings:
> Warnings:
> ipa: INFO: Unknown certmonger ids: 20170817101613 Unknown certmonger
> ids: 20170817101613
>
> Where the serials correspond the following certs:
> [root@masterGOOD ~]# ipa cert-show 268304389
> Issuing CA: ipa
> Certificate: MI....
> Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL
> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
> Not Before: Mon Dec 24 07:24:20 2018 UTC
> Not After: Sun Dec 13 07:24:20 2020 UTC
> Serial number: 268304389
> Serial number (hex): 0xFFE0005
> Revoked: False
> [root@masterGOOD ~]# ipa cert-show 268304388
> Issuing CA: ipa
> Certificate: MII....
> Subject: CN=CA Audit,O=IPA.TESTAD.LOCAL
> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
> Not Before: Mon Dec 24 07:25:10 2018 UTC
> Not After: Sun Dec 13 07:25:10 2020 UTC
> Serial number: 268304388
> Serial number (hex): 0xFFE0004
> Revoked: False
> [root@masterGOOD ~]# ipa cert-show 268304391
> Issuing CA: ipa
> Certificate: MII....
> Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL
> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
> Not Before: Mon Dec 24 07:25:00 2018 UTC
> Not After: Sun Dec 13 07:25:00 2020 UTC
> Serial number: 268304391
> Serial number (hex): 0xFFE0007
> Revoked: False
> [root@masterGOOD ~]# ipa cert-show 268304390
> Issuing CA: ipa
> Certificate: MII....
> Subject: CN=CA Subsystem,O=IPA.TESTAD.LOCAL
> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
> Not Before: Mon Dec 24 07:24:41 2018 UTC
> Not After: Sun Dec 13 07:24:41 2020 UTC
> Serial number: 268304390
> Serial number (hex): 0xFFE0006
> Revoked: False
> [root@masterGOOD ~]# ipa cert-show 268304392
> Issuing CA: ipa
> Certificate: MII....
> Subject: CN=masterGOOD.ipa.testad.local,O=IPA.TESTAD.LOCAL
> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
> Not Before: Tue Dec 25 07:24:07 2018 UTC
> Not After: Mon Dec 14 07:24:07 2020 UTC
> Serial number: 268304392
> Serial number (hex): 0xFFE0008
> Revoked: False
>
> I've checked that the following files are different on the 2 masters:
> /var/lib/ipa/ra-agent.key
> /var/lib/ipa/ra-agent.pem
>
> It has been renewed on masterGOOD but not on masterWRONG:
You can manually copy ra-agent.key and ra-agent.pem from masterGOOD to
masterWRONG (make a backup first of the files on masterWRONG). This should
solve the 'ipa cert-show' issue on masterWRONG.
> [root@masterWRONG ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout
> | egrep "Serial|Not"
> Serial Number: 7 (0x7)
> Not Before: Jan 30 10:53:02 2017 GMT
> Not After : Jan 20 10:53:02 2019 GMT [root@masterGOOD ~]#
> openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not"
> Serial Number: 268304389 (0xffe0005)
> Not Before: Dec 24 07:24:20 2018 GMT
> Not After : Dec 13 07:24:20 2020 GMT
>
> When I execute "ipa cert-show" on masterWRONG I get the following error:
> ipa: ERROR: Certificate operation cannot be completed: EXCEPTION
> (Invalid Credential.)
>
> I have added a RHEL 7 client to the domain, but I can not add RHEL 6
> clients. The CA master was masterWRONG and I have changed to
> masterGOOD with the procedure explained on
> https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Maste
> r But it still can not add RHEL 6 on the domain.
Which error do you see when trying to add a RHEL6 client to the domain?
Please provide ipaclient-install.log.
HTH,
flo
>
> How can I fix the issue? Is that happening because I changed the auto-signed
> HTTP certificate to a 3rd party certificate?
>
> Thanks & Regards.
>
>
>
> -----Original Message-----
> From: Rob Crittenden <rcrit...@redhat.com>
> Sent: Thursday, January 03, 2019 21:22
> To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> Cc: SOLER SANGUESA Miguel <sol...@unicc.org>
> Subject: Re: [Freeipa-users] Re: Testing requested - certificate
> checking tool
>
> Rob Crittenden via FreeIPA-users wrote:
>> SOLER SANGUESA Miguel via FreeIPA-users wrote:
>>> Hello,
>>>
>>>
>>>
>>> I have run the tool on an environment where I’ve installed my own
>>> certificate for HTTPS (following this tutorial:
>>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LD
>>> A P), and it complains when find the root certificate of my
>>> certificate:
>>>
>>> # python2 ipa-checkcerts.py
>>>
>>> ipa: INFO: IPA version 4.6.4-10.el7
>>>
>>> IPA version 4.6.4-10.el7
>>>
>>> ipa: INFO: Check CA status
>>>
>>> Check CA status
>>>
>>> ipa: INFO: Check tracking
>>>
>>> Check tracking
>>>
>>> ipa: INFO: Check NSS trust
>>>
>>> Check NSS trust
>>>
>>> Traceback (most recent call last):
>>>
>>> File "ipa-checkcerts.py", line 931, in <module>
>>>
>>> sys.exit(c.run())
>>>
>>> File "ipa-checkcerts.py", line 190, in run
>>>
>>> self.check_trust()
>>>
>>> File "ipa-checkcerts.py", line 439, in check_trust
>>>
>>> expected = expected_trust[nickname]
>>>
>>> KeyError: 'ICC-root'
>>>
>>>
>>>
>>> Is this normal?
>>
>> No, I don't think I ever tested this scenario. I'll take a look.
>>
>> I did confirm it also fails if you install CA-les.
>
> I reproduced the error and worked around it. It should work now.
>
> rob
>
>>
>>> Because I have tried to add a RHEL 6 client and I get the error:
>>>
>>> " Successfully retrieved CA cert
>>>
>>> Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
>>>
>>> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
>>>
>>> Valid From: Mon Jan 30 10:52:18 2017 UTC
>>>
>>> Valid Until: Fri Jan 30 10:52:18 2037 UTC
>>>
>>>
>>>
>>> Joining realm failed: libcurl failed to execute the HTTP POST
>>> transaction. Peer certificate cannot be authenticated with known CA
>>> certificates"it is by design to provide
>>
>> Use ipa-cacert-manage to install the CA of the 3rd party certs you added.
>>
>> rob
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-us...@lists.fedo
>> r
>> ahosted.org
>>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor
> ahosted.org
>
ipaclient-install.log
Description: ipaclient-install.log
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
