Seems to happen on both Ubuntu 16.04 and 18.04. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.6 LTS Release: 16.04 Codename: xenial
$ firefox --version Mozilla Firefox 67.0.4 freeipa-client/xenial,now 4.3.1-0ubuntu1 amd64 [installed] freeipa-common/xenial,xenial,now 4.3.1-0ubuntu1 all [installed,automatic] firefox/now 67.0.4+build1-0ubuntu0.16.04.1 amd64 Ubuntu 18.04 machine: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.3 LTS Release: 18.04 Codename: bionic freeipa-client/bionic,now 4.7.0~pre1+git20180411-2ubuntu2 amd64 [installed] freeipa-common/bionic,bionic,now 4.7.0~pre1+git20180411-2ubuntu2 all [installed,automatic] firefox/bionic-updates,bionic-security,now 69.0.2+build1-0ubuntu0.18.04.1 amd64 [installed] Where is the system trust store located? I was going to validate that the freeipa ca.crt is added to the system trust store. If its not there how do you add the ca.crt to the system trust store? Should the ipa-install-client command add the system wide trust store? I'll try this on CentOS tomorrow to see if its just an Ubuntu issue. On Wed, Oct 9, 2019 at 8:25 PM Fraser Tweedale <ftwee...@redhat.com> wrote: > > On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users wrote: > > Hello, > > > > I’m wanting to make our https servers use a trusted certificate within our > > LAN only. So for example if I have websrv1.ny.example.com when a user uses > > a machine that’s enrolled into our realm and they visit > > https://websrv1.ny.example.com they shouldn’t be prompted to accept the > > self signed certificate. > > > > I think I’m pretty close but I’m missing a small part. > > > > The ipa server is all setup and working. Hosts are enrolled to ipa and have > > the /etc/ipa/ca.crt. > > > > I have created a service for the http server in IPA. I have obtained a .key > > file and .crt file for my web server. Those keys for the web server are in > > the appropriate location and the web server is pointing at the certs > > correctly. > > > > On my clients when I go to the web servers URl I am no longer getting a > > “self signed cert” error message in the browser. > > > > That message has now changed to “unverified certificate authority”. Which > > basically indicates to me that the browser doesn’t know if this certificate > > authority should/can be trusted. > > > > If i go in the browser (firefox or chrome) in the certificate authority > > section and import the /etc/ipa/ca.crt i get no errors in the browser about > > it being unverified. > > > > So my question is, what am I missing to make the /etc/ipa/ca.crt file > > globally available for browsers to pick up the certificate automatically? > > > > when we enroll a host we simply do > > > > freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir > > > > Accept the defaults, put in the password to enroll and that’s it. Is there > > something I’m missing? > > > > -Kevin > > > Looks like the browser is not using the system trust store. Please > provide full details of operating system and package versions for > both freeipa and browser packages. > > Cheers, > Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
