OpenSSL 3.0.2-0ubuntu1.1 is installed in 22.04 Previous email with openssl and curl commands were runt in ubuntu 22.04
El vie, 27 may 2022 a la(s) 11:23, Rob Crittenden (rcrit...@redhat.com) escribió: > Thanks, this is very helpful. I wonder if the same s_client and curl > commands work from the Ubuntu 22.04 machine or if they'll fail in the > same way. > > The cert lacks a DNS SAN for the hostname. I suspect this may be the > issue (using the CN has been deprecated forever but was still allowed in > most libraries). What version of OpenSSL is on 22.04? > > rob > > Gustavo Berman wrote: > > Here's info obtained from the same client using openssl, you can se that > > subject CN is fine. > > > > localadmin@fisica75:~$ echo | openssl s_client -showcerts -servername > > ipaserver.fisica.cabib -connect ipaserver.fisica.cabib:443 2>/dev/null | > > openssl x509 -inform pem -noout -text > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 536805412 (0x1fff0024) > > Signature Algorithm: sha256WithRSAEncryption > > Issuer: O = FISICA.CABIB, CN = Certificate Authority > > Validity > > Not Before: Jul 14 14:25:06 2020 GMT > > Not After : Jul 15 14:25:06 2022 GMT > > Subject: O = FISICA.CABIB, CN = ipaserver.fisica.cabib > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > Public-Key: (2048 bit) > > Modulus: > > 00:f5:93:fb:bc:b8:fe:de:48:e0:e1:e0:64:9e:2a: > > a9:89:8f:9d:81:9b:ac:4a:81:79:21:60:23:d2:7b: > > fa:52:1f:4c:fd:9d:27:88:c5:26:29:16:0d:36:f6: > > 4c:8b:5e:98:14:33:84:8b:81:1f:fd:7c:52:d8:a9: > > db:c2:69:cd:82:ba:81:9a:e8:a7:91:cb:08:4d:c5: > > 14:26:c2:c4:23:c3:c3:9e:3a:e0:c7:98:ce:60:93: > > fc:45:23:43:f2:f5:e7:a3:1f:5e:9a:09:3d:8f:68: > > db:1e:39:61:68:2a:13:86:ad:70:37:ff:ef:12:76: > > 0c:25:15:84:bf:fe:55:c5:23:bb:fb:18:21:3e:85: > > 6d:11:f9:02:53:c6:0d:15:14:d1:fc:79:a0:34:db: > > ff:f9:d7:e4:e2:4e:a5:2b:e3:58:b6:0a:c2:3e:c4: > > a9:61:a9:11:53:d3:3b:7c:06:fe:f7:e6:e3:be:46: > > 65:90:11:74:9b:79:13:23:27:28:3d:15:b9:e9:79: > > 3c:3b:00:43:08:58:e9:08:ce:30:85:3d:a0:01:d2: > > 63:d9:04:21:4e:19:97:9c:3a:c2:76:b4:4c:3a:1d: > > fd:2c:51:fb:16:52:31:8c:60:2a:f3:f8:9a:d7:4c: > > d8:c9:4b:f3:66:71:ad:e3:68:4c:80:f3:77:3c:9d: > > ef:ab > > Exponent: 65537 (0x10001) > > X509v3 extensions: > > X509v3 Authority Key Identifier: > > > F4:2B:56:59:29:C3:E4:51:54:1A:9C:3F:F8:47:F1:F7:B6:3B:14:32 > > Authority Information Access: > > OCSP - URI:http://ipa-ca.fisica.cabib/ca/ocsp > > X509v3 Key Usage: critical > > Digital Signature, Non Repudiation, Key Encipherment, > > Data Encipherment > > X509v3 Extended Key Usage: > > TLS Web Server Authentication, TLS Web Client > Authentication > > X509v3 CRL Distribution Points: > > Full Name: > > URI:http://ipa-ca.fisica.cabib/ipa/crl/MasterCRL.bin > > CRL Issuer: > > DirName:O = ipaca, CN = Certificate Authority > > X509v3 Subject Key Identifier: > > > 3E:8B:95:9F:DA:91:46:4C:2C:32:98:48:07:61:6A:30:6F:C1:B3:2D > > X509v3 Subject Alternative Name: > > othername: > > UPN::HTTP/ipaserver.fisica.cabib@FISICA.CABIB, othername: > > 1.3.6.1.5.2.2::<unsupported> > > Signature Algorithm: sha256WithRSAEncryption > > Signature Value: > > b6:fb:01:20:bf:2e:b8:75:b7:64:8e:bf:fd:37:59:52:56:15: > > a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37: > > ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d: > > bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92: > > 1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f: > > 6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b: > > e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7: > > 91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49: > > 66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48: > > c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba: > > 5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f: > > 77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17: > > 68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b: > > 38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03: > > dd:92:d4:68 > > localadmin@fisica75:~$ > > > > > > And more info obtained with curl: > > > > localadmin@fisica75:~$ curl --insecure -vvI > https://ipaserver.fisica.cabib > > * Trying 10.reda.cted.ip:443... > > * Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0) > > * ALPN, offering h2 > > * ALPN, offering http/1.1 > > * TLSv1.0 (OUT), TLS header, Certificate Status (22): > > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > > * TLSv1.2 (IN), TLS header, Certificate Status (22): > > * TLSv1.3 (IN), TLS handshake, Server hello (2): > > * TLSv1.2 (IN), TLS handshake, Certificate (11): > > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > > * TLSv1.2 (IN), TLS handshake, Server finished (14): > > * TLSv1.2 (OUT), TLS header, Certificate Status (22): > > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > > * TLSv1.2 (OUT), TLS header, Finished (20): > > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): > > * TLSv1.2 (OUT), TLS header, Certificate Status (22): > > * TLSv1.2 (OUT), TLS handshake, Finished (20): > > * TLSv1.2 (IN), TLS header, Finished (20): > > * TLSv1.2 (IN), TLS header, Certificate Status (22): > > * TLSv1.2 (IN), TLS handshake, Finished (20): > > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 > > * ALPN, server did not agree to a protocol > > * Server certificate: > > * subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib > > * start date: Jul 14 14:25:06 2020 GMT > > * expire date: Jul 15 14:25:06 2022 GMT > > * issuer: O=FISICA.CABIB; CN=Certificate Authority > > * SSL certificate verify result: self-signed certificate in certificate > > chain (19), continuing anyway. > > * TLSv1.2 (OUT), TLS header, Supplemental data (23): > >> HEAD / HTTP/1.1 > >> Host: ipaserver.fisica.cabib > >> User-Agent: curl/7.81.0 > >> Accept: */* > >> > > * TLSv1.2 (IN), TLS header, Supplemental data (23): > > * Mark bundle as not supporting multiuse > > < HTTP/1.1 301 Moved Permanently > > HTTP/1.1 301 Moved Permanently > > < Date: Fri, 27 May 2022 13:53:28 GMT > > Date: Fri, 27 May 2022 13:53:28 GMT > > < Server: Apache/redactedversion > > Server: Apache/redactedversion > > < Location: https://ipaserver.fisica.cabib/ipa/ui > > Location: https://ipaserver.fisica.cabib/ipa/ui > > < Content-Type: text/html; charset=iso-8859-1 > > Content-Type: text/html; charset=iso-8859-1 > > > > < > > * Connection #0 to host ipaserver.fisica.cabib left intact > > > > Also attached public cert > > > > > > > > > > El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>) escribió: > > > > Gustavo Berman via FreeIPA-users wrote: > > > Hello there! > > > > > > Ubuntu 18.04 (and previous ones) works just fine > > > In Ubuntu 22.04 I'm trying to execute ipa-client install but it > > fails with: > > > > > > root@fisica75:~# ipa-client-install > > > This program will set up IPA client. > > > Version 4.9.8 > > > > > > WARNING: conflicting time&date synchronization service 'ntp' will > be > > > disabled in favor of chronyd > > > > > > Discovery was successful! > > > Do you want to configure chrony with NTP server or pool address? > [no]: > > > Client hostname: fisica75.fisica.cabib > > > Realm: FISICA.CABIB > > > DNS Domain: fisica.cabib > > > IPA Server: ipaserver.fisica.cabib > > > BaseDN: dc=fisica,dc=cabib > > > > > > Continue to configure the system with these values? [no]: yes > > > Synchronizing time > > > No SRV records of NTP servers found and no NTP server or pool > address > > > was provided. > > > Using default chrony configuration. > > > Attempting to sync time with chronyc. > > > Time synchronization was successful. > > > User authorized to enroll computers: tavo > > > Password for tavo@FISICA.CABIB: > > > Successfully retrieved CA cert > > > Subject: CN=Certificate Authority,O=FISICA.CABIB > > > Issuer: CN=Certificate Authority,O=FISICA.CABIB > > > Valid From: 2014-01-14 12:56:57 > > > Valid Until: 2034-01-14 12:56:57 > > > > > > Enrolled in IPA realm FISICA.CABIB > > > Created /etc/ipa/default.conf > > > Configured /etc/sssd/sssd.conf > > > Configured /etc/krb5.conf for IPA realm FISICA.CABIB > > > cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL: > > > CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname > > mismatch, > > > certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997) > > > The ipa-client-install command failed. See > > > /var/log/ipaclient-install.log for more information > > > root@fisica75:~# > > > > > > There is no Hostname mismatch for the server certificate. It has > been > > > working just fine for years with multiple distros as clients. I can > > > access the website with the same URL and cert is just fine. > > > > > > > The error message is pretty clear and comes out of openssl. Can we > see > > the web server certificate from that host? Can you confirm that the > host > > the client connected to is actually this host (e.g. DNS or /etc/host > > issues)? > > > > rob > > > > > > > > -- > > Gustavo Berman > > Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA > > -- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
