On Wed, Oct 09, 2019 at 08:58:14PM -0500, Kevin Vasko wrote: > Seems to happen on both Ubuntu 16.04 and 18.04. > > $ lsb_release -a > No LSB modules are available. > Distributor ID: Ubuntu > Description: Ubuntu 16.04.6 LTS > Release: 16.04 > Codename: xenial > > $ firefox --version > Mozilla Firefox 67.0.4 > > freeipa-client/xenial,now 4.3.1-0ubuntu1 amd64 [installed] > freeipa-common/xenial,xenial,now 4.3.1-0ubuntu1 all [installed,automatic] > firefox/now 67.0.4+build1-0ubuntu0.16.04.1 amd64 > > > > Ubuntu 18.04 machine: > > $ lsb_release -a > No LSB modules are available. > Distributor ID: Ubuntu > Description: Ubuntu 18.04.3 LTS > Release: 18.04 > Codename: bionic > > freeipa-client/bionic,now 4.7.0~pre1+git20180411-2ubuntu2 amd64 [installed] > freeipa-common/bionic,bionic,now 4.7.0~pre1+git20180411-2ubuntu2 all > [installed,automatic] > firefox/bionic-updates,bionic-security,now > 69.0.2+build1-0ubuntu0.18.04.1 amd64 [installed] > > Where is the system trust store located? I was going to validate that > the freeipa ca.crt is added to the system trust store. If its not > there how do you add the ca.crt to the system trust store? > > Should the ipa-install-client command add the system wide trust store? > Thanks for the details. I do not know about system trust on Ubuntu. It could be that ipa-client on Ubuntu does add the IPA CA to system trust, but the Firefox/Chrome packages ignore the system trust store.
Hopefully someone more familiar with Ubuntu can clarify. Cheers, Fraser > I'll try this on CentOS tomorrow to see if its just an Ubuntu issue. > > On Wed, Oct 9, 2019 at 8:25 PM Fraser Tweedale <ftwee...@redhat.com> wrote: > > > > On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users > > wrote: > > > Hello, > > > > > > I’m wanting to make our https servers use a trusted certificate within > > > our LAN only. So for example if I have websrv1.ny.example.com when a user > > > uses a machine that’s enrolled into our realm and they visit > > > https://websrv1.ny.example.com they shouldn’t be prompted to accept the > > > self signed certificate. > > > > > > I think I’m pretty close but I’m missing a small part. > > > > > > The ipa server is all setup and working. Hosts are enrolled to ipa and > > > have the /etc/ipa/ca.crt. > > > > > > I have created a service for the http server in IPA. I have obtained a > > > .key file and .crt file for my web server. Those keys for the web server > > > are in the appropriate location and the web server is pointing at the > > > certs correctly. > > > > > > On my clients when I go to the web servers URl I am no longer getting a > > > “self signed cert” error message in the browser. > > > > > > That message has now changed to “unverified certificate authority”. Which > > > basically indicates to me that the browser doesn’t know if this > > > certificate authority should/can be trusted. > > > > > > If i go in the browser (firefox or chrome) in the certificate authority > > > section and import the /etc/ipa/ca.crt i get no errors in the browser > > > about it being unverified. > > > > > > So my question is, what am I missing to make the /etc/ipa/ca.crt file > > > globally available for browsers to pick up the certificate automatically? > > > > > > when we enroll a host we simply do > > > > > > freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir > > > > > > Accept the defaults, put in the password to enroll and that’s it. Is > > > there something I’m missing? > > > > > > -Kevin > > > > > Looks like the browser is not using the system trust store. Please > > provide full details of operating system and package versions for > > both freeipa and browser packages. > > > > Cheers, > > Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org