I have recently been looking to authenticate Linux hosts with our FreeIPA server. I use a containerized FreeIPA server behind a Nginx Proxy Manager reverse proxy. I disable anonymous binding and forward all the LDAP and kerberos ports freeipa uses over streams through NPM.
This has worked well for general usage and LDAP binding so far, but when I try to install the client with ipa-client-install I get the following error: Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm MYREALM.NET cannot connect to 'https://freeipa.myrealm.net/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123) I do not get the same issue connecting directly to a fresh docker instance that is not behind Nginx Proxy Manager, but it occurs again when I try to put a reverse proxy in front of the server. The realm gets created, but the final configuration fails. What I assume is happening is that there is a mismatch between the SSL certificate used by LDAP/Kerberos and the one used over https, but I'm not totally sure. The debug information is sparse. The debug logs say the following: failed to find session_cookie in persistent storage for principal 'host/[email protected]' trying https://freeipa.myrealm.net/ipa/json Created connection context.rpcclient_140023518613568 [try 1]: Forwarding 'schema' to json server 'https://freeipa.myrealm.net/ipa/json' HTTP connection destroyed (freeipa.myrealm.net) I tried the --ca-cert-file flag, passing in the server's self-signed certificate, but that did not work either. Neither did installing it in the ca-certificates directory. Is there a way for me either pre-emptively install the certificate? Or am I going to need to definitely use the same non-self-signed certificate for the reverse proxy and the actual IPA server? Some additional things I've tried: - Updating & Upgrading - Using the server's self-signed certificate in NPM (gives a self-signed cert error) - Using no certificate in NPM (gives the sam self-signed error) - Using the name of the Freeipa host machine (connects, but a cert for the hostname isn't found) _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
