Hello ALexander. Thank you for your reply.
In fact, I solved this problem by following this KB frmo RHEL support : https://access.redhat.com/solutions/482063 Basically : certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt It helped my python venv with ipa 3.0 modules to work on a RHEL7 with an ipa 4.4 client installed. I know this is currently dirty enough, but I plan to upgrade everything asap (python version, ipa version etc...) for the tool that I need to maintain. Thanks a lot for your information. Best regards. Lune Le ven. 23 août 2019 à 17:09, Alexander Bokovoy <[email protected]> a écrit : > On pe, 23 elo 2019, lune voo via FreeIPA-users wrote: > >Thank you again for your answer Alexander. > > > >A last question : > >I'm setting up a python virtual environment for an old project that I need > >to maintain without any modification. > >This old project use currently an ipa 3.0 on a physical RHEL 6.6 using > >python 2.6.6. > I don't think we supported any use of pip-based ipaclient at that > version. > > >I'm trying to create the python environment using python 2.6 for the > >project because the server will soon be upgraded in RHEL7. > > > >I'm using ipalib to perform ipa user-show etc... command directly in > python. > >But I get an "(SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has > >been marked as not trusted by the user." when I try to use it. > >Pretty sure this is related with my ca.crt file being not found. > This is related to nssdb in use -- at that time we didn't have any > support for relocating files and we also used nssdb at /etc/ipa/nssdb, I > think. So check whether you have trust flags on the certificates in that > NSS database. > > > > > >Any hope there is a way to check the default path which is used by the > >ca.crt file ? > > > >Best regards. > > > >Lune > > > > > >Le ven. 23 août 2019 à 15:41, Alexander Bokovoy <[email protected]> a > >écrit : > > > >> On pe, 23 elo 2019, lune voo wrote: > >> >Hello Alexander. > >> > > >> >Thank you for your answer. > >> >Do you know if I will have any problem with the certificate to connect > to > >> >the server ? > >> >Generally there is a ca.crt in /etc/ipa/ca.crt, does it need to be > >> included > >> >in the virtual environment also ? > >> > >> See manual page for ipa(1) tool, it documents use of IPA_CONFDIR to > >> specify /etc/ipa location. However, /etc/ipa/ca.crt is not configurable > >> this way, only through ipaplatform.paths.IPA_CA_CRT value. > >> > >> $ python3 > >> Python 3.7.4 (default, Jul 9 2019, 16:32:37) > >> [GCC 9.1.1 20190503 (Red Hat 9.1.1-1)] on linux > >> Type "help", "copyright", "credits" or "license" for more information. > >> >>> from ipaplatform.paths import paths > >> >>> paths.IPA_CA_CRT > >> '/etc/ipa/ca.crt' > >> >>> paths.IPA_CA_CRT="./my.ca.crt" > >> >>> from ipaclient.discovery import IPADiscovery > >> >>> discover = IPADiscovery() > >> >>> discover.search("vda.li", ca_cert_path=paths.IPA_CA_CRT) > >> 0 > >> >>> discover.realm > >> 'VDA.LI' > >> >>> discover.basedn > >> ipapython.dn.DN('dc=vda,dc=li') > >> >>> > >> > >> So, for most of Python code you can redefine paths. But for ipa-join and > >> other binaries you cannot. > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > > >_______________________________________________ > >FreeIPA-users mailing list -- [email protected] > >To unsubscribe send an email to > [email protected] > >Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
