Good morning, Little update
My client time wasn't synchronize with NTP. After doing so I got a new error message. ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) See ipa-certupdate -v output below: > # ipa-certupdate -v > ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file > ipa: DEBUG: Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > ipa: DEBUG: Starting external process > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca > ipa: DEBUG: Process finished, return code=1 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: failed to find > session_cookie in persistent storage for principal 'ad...@qc.lrtech.ca' > ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying > https://freeipa.qc.lrtech.ca/ipa/json > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection > context.rpcclient_52339344 > ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json > server 'https://freeipa.qc.lrtech.ca/ipa/json' > ipa: DEBUG: NSSConnection init freeipa.qc.lrtech.ca > ipa: DEBUG: Connecting: X.X.X.X:0 > ipa: ERROR: cert validation failed for > "CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's > certificate issuer has been marked as not trusted by the user.) > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection > context.rpcclient_52339344 > ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line > 54, in run > api.finalize() > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in > finalize > self.__do_if_not_done('load_plugins') > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in > __do_if_not_done > getattr(self, name)() > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in > load_plugins > for package in self.packages: > File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in > packages > ipaclient.remote_plugins.get_package(self), > File > "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line > 118, in get_package > plugins = schema.get_package(server_info, client) > File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 543, in get_package > schema = Schema(client) > File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 387, in __init__ > fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) > File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 426, in _fetch > schema = client.forward(u'schema', **kwargs)['result'] > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1000, in forward > raise NetworkError(uri=server, error=str(e)) > > ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command > failed, exception: NetworkError: cannot connect to > 'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's > certificate issuer has been marked as not trusted by the user. > ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: cannot connect to > 'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's > certificate issuer has been marked as not trusted by the user. > ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command > failed. My client is able to ping my FreeIPA server, I tried to manually add my root certificate to /etc/pki/ca-trust/source/anchors and did a update-ca-trust extract. Should I restart some service to apply change? Eric _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
