[solved] As stated, SAN was missing in my certificates I resubmitted my certificate at the ipa server adding SAN with:
# getcert resubmit -i <certmonger_request_id> -D $(hostname) Now I can execute ipa-client-install without a problem! Thanks! El vie, 27 may 2022 a la(s) 11:38, Gustavo Berman (gustavober...@gmail.com) escribió: > OpenSSL 3.0.2-0ubuntu1.1 is installed in 22.04 > Previous email with openssl and curl commands were runt in ubuntu 22.04 > > El vie, 27 may 2022 a la(s) 11:23, Rob Crittenden (rcrit...@redhat.com) > escribió: > >> Thanks, this is very helpful. I wonder if the same s_client and curl >> commands work from the Ubuntu 22.04 machine or if they'll fail in the >> same way. >> >> The cert lacks a DNS SAN for the hostname. I suspect this may be the >> issue (using the CN has been deprecated forever but was still allowed in >> most libraries). What version of OpenSSL is on 22.04? >> >> rob >> >> Gustavo Berman wrote: >> > Here's info obtained from the same client using openssl, you can se that >> > subject CN is fine. >> > >> > localadmin@fisica75:~$ echo | openssl s_client -showcerts -servername >> > ipaserver.fisica.cabib -connect ipaserver.fisica.cabib:443 2>/dev/null | >> > openssl x509 -inform pem -noout -text >> > Certificate: >> > Data: >> > Version: 3 (0x2) >> > Serial Number: 536805412 (0x1fff0024) >> > Signature Algorithm: sha256WithRSAEncryption >> > Issuer: O = FISICA.CABIB, CN = Certificate Authority >> > Validity >> > Not Before: Jul 14 14:25:06 2020 GMT >> > Not After : Jul 15 14:25:06 2022 GMT >> > Subject: O = FISICA.CABIB, CN = ipaserver.fisica.cabib >> > Subject Public Key Info: >> > Public Key Algorithm: rsaEncryption >> > Public-Key: (2048 bit) >> > Modulus: >> > 00:f5:93:fb:bc:b8:fe:de:48:e0:e1:e0:64:9e:2a: >> > a9:89:8f:9d:81:9b:ac:4a:81:79:21:60:23:d2:7b: >> > fa:52:1f:4c:fd:9d:27:88:c5:26:29:16:0d:36:f6: >> > 4c:8b:5e:98:14:33:84:8b:81:1f:fd:7c:52:d8:a9: >> > db:c2:69:cd:82:ba:81:9a:e8:a7:91:cb:08:4d:c5: >> > 14:26:c2:c4:23:c3:c3:9e:3a:e0:c7:98:ce:60:93: >> > fc:45:23:43:f2:f5:e7:a3:1f:5e:9a:09:3d:8f:68: >> > db:1e:39:61:68:2a:13:86:ad:70:37:ff:ef:12:76: >> > 0c:25:15:84:bf:fe:55:c5:23:bb:fb:18:21:3e:85: >> > 6d:11:f9:02:53:c6:0d:15:14:d1:fc:79:a0:34:db: >> > ff:f9:d7:e4:e2:4e:a5:2b:e3:58:b6:0a:c2:3e:c4: >> > a9:61:a9:11:53:d3:3b:7c:06:fe:f7:e6:e3:be:46: >> > 65:90:11:74:9b:79:13:23:27:28:3d:15:b9:e9:79: >> > 3c:3b:00:43:08:58:e9:08:ce:30:85:3d:a0:01:d2: >> > 63:d9:04:21:4e:19:97:9c:3a:c2:76:b4:4c:3a:1d: >> > fd:2c:51:fb:16:52:31:8c:60:2a:f3:f8:9a:d7:4c: >> > d8:c9:4b:f3:66:71:ad:e3:68:4c:80:f3:77:3c:9d: >> > ef:ab >> > Exponent: 65537 (0x10001) >> > X509v3 extensions: >> > X509v3 Authority Key Identifier: >> > >> F4:2B:56:59:29:C3:E4:51:54:1A:9C:3F:F8:47:F1:F7:B6:3B:14:32 >> > Authority Information Access: >> > OCSP - URI:http://ipa-ca.fisica.cabib/ca/ocsp >> > X509v3 Key Usage: critical >> > Digital Signature, Non Repudiation, Key Encipherment, >> > Data Encipherment >> > X509v3 Extended Key Usage: >> > TLS Web Server Authentication, TLS Web Client >> Authentication >> > X509v3 CRL Distribution Points: >> > Full Name: >> > URI:http://ipa-ca.fisica.cabib/ipa/crl/MasterCRL.bin >> >> > CRL Issuer: >> > DirName:O = ipaca, CN = Certificate Authority >> > X509v3 Subject Key Identifier: >> > >> 3E:8B:95:9F:DA:91:46:4C:2C:32:98:48:07:61:6A:30:6F:C1:B3:2D >> > X509v3 Subject Alternative Name: >> > othername: >> > UPN::HTTP/ipaserver.fisica.cabib@FISICA.CABIB, othername: >> > 1.3.6.1.5.2.2::<unsupported> >> > Signature Algorithm: sha256WithRSAEncryption >> > Signature Value: >> > b6:fb:01:20:bf:2e:b8:75:b7:64:8e:bf:fd:37:59:52:56:15: >> > a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37: >> > ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d: >> > bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92: >> > 1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f: >> > 6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b: >> > e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7: >> > 91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49: >> > 66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48: >> > c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba: >> > 5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f: >> > 77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17: >> > 68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b: >> > 38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03: >> > dd:92:d4:68 >> > localadmin@fisica75:~$ >> > >> > >> > And more info obtained with curl: >> > >> > localadmin@fisica75:~$ curl --insecure -vvI >> https://ipaserver.fisica.cabib >> > * Trying 10.reda.cted.ip:443... >> > * Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0) >> > * ALPN, offering h2 >> > * ALPN, offering http/1.1 >> > * TLSv1.0 (OUT), TLS header, Certificate Status (22): >> > * TLSv1.3 (OUT), TLS handshake, Client hello (1): >> > * TLSv1.2 (IN), TLS header, Certificate Status (22): >> > * TLSv1.3 (IN), TLS handshake, Server hello (2): >> > * TLSv1.2 (IN), TLS handshake, Certificate (11): >> > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): >> > * TLSv1.2 (IN), TLS handshake, Server finished (14): >> > * TLSv1.2 (OUT), TLS header, Certificate Status (22): >> > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): >> > * TLSv1.2 (OUT), TLS header, Finished (20): >> > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): >> > * TLSv1.2 (OUT), TLS header, Certificate Status (22): >> > * TLSv1.2 (OUT), TLS handshake, Finished (20): >> > * TLSv1.2 (IN), TLS header, Finished (20): >> > * TLSv1.2 (IN), TLS header, Certificate Status (22): >> > * TLSv1.2 (IN), TLS handshake, Finished (20): >> > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 >> > * ALPN, server did not agree to a protocol >> > * Server certificate: >> > * subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib >> > * start date: Jul 14 14:25:06 2020 GMT >> > * expire date: Jul 15 14:25:06 2022 GMT >> > * issuer: O=FISICA.CABIB; CN=Certificate Authority >> > * SSL certificate verify result: self-signed certificate in certificate >> > chain (19), continuing anyway. >> > * TLSv1.2 (OUT), TLS header, Supplemental data (23): >> >> HEAD / HTTP/1.1 >> >> Host: ipaserver.fisica.cabib >> >> User-Agent: curl/7.81.0 >> >> Accept: */* >> >> >> > * TLSv1.2 (IN), TLS header, Supplemental data (23): >> > * Mark bundle as not supporting multiuse >> > < HTTP/1.1 301 Moved Permanently >> > HTTP/1.1 301 Moved Permanently >> > < Date: Fri, 27 May 2022 13:53:28 GMT >> > Date: Fri, 27 May 2022 13:53:28 GMT >> > < Server: Apache/redactedversion >> > Server: Apache/redactedversion >> > < Location: https://ipaserver.fisica.cabib/ipa/ui >> > Location: https://ipaserver.fisica.cabib/ipa/ui >> > < Content-Type: text/html; charset=iso-8859-1 >> > Content-Type: text/html; charset=iso-8859-1 >> > >> > < >> > * Connection #0 to host ipaserver.fisica.cabib left intact >> > >> > Also attached public cert >> > >> > >> > >> > >> > El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcrit...@redhat.com >> > <mailto:rcrit...@redhat.com>) escribió: >> > >> > Gustavo Berman via FreeIPA-users wrote: >> > > Hello there! >> > > >> > > Ubuntu 18.04 (and previous ones) works just fine >> > > In Ubuntu 22.04 I'm trying to execute ipa-client install but it >> > fails with: >> > > >> > > root@fisica75:~# ipa-client-install >> > > This program will set up IPA client. >> > > Version 4.9.8 >> > > >> > > WARNING: conflicting time&date synchronization service 'ntp' will >> be >> > > disabled in favor of chronyd >> > > >> > > Discovery was successful! >> > > Do you want to configure chrony with NTP server or pool address? >> [no]: >> > > Client hostname: fisica75.fisica.cabib >> > > Realm: FISICA.CABIB >> > > DNS Domain: fisica.cabib >> > > IPA Server: ipaserver.fisica.cabib >> > > BaseDN: dc=fisica,dc=cabib >> > > >> > > Continue to configure the system with these values? [no]: yes >> > > Synchronizing time >> > > No SRV records of NTP servers found and no NTP server or pool >> address >> > > was provided. >> > > Using default chrony configuration. >> > > Attempting to sync time with chronyc. >> > > Time synchronization was successful. >> > > User authorized to enroll computers: tavo >> > > Password for tavo@FISICA.CABIB: >> > > Successfully retrieved CA cert >> > > Subject: CN=Certificate Authority,O=FISICA.CABIB >> > > Issuer: CN=Certificate Authority,O=FISICA.CABIB >> > > Valid From: 2014-01-14 12:56:57 >> > > Valid Until: 2034-01-14 12:56:57 >> > > >> > > Enrolled in IPA realm FISICA.CABIB >> > > Created /etc/ipa/default.conf >> > > Configured /etc/sssd/sssd.conf >> > > Configured /etc/krb5.conf for IPA realm FISICA.CABIB >> > > cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': >> [SSL: >> > > CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname >> > mismatch, >> > > certificate is not valid for 'ipaserver.fisica.cabib'. >> (_ssl.c:997) >> > > The ipa-client-install command failed. See >> > > /var/log/ipaclient-install.log for more information >> > > root@fisica75:~# >> > > >> > > There is no Hostname mismatch for the server certificate. It has >> been >> > > working just fine for years with multiple distros as clients. I >> can >> > > access the website with the same URL and cert is just fine. >> > > >> > >> > The error message is pretty clear and comes out of openssl. Can we >> see >> > the web server certificate from that host? Can you confirm that the >> host >> > the client connected to is actually this host (e.g. DNS or /etc/host >> > issues)? >> > >> > rob >> > >> > >> > >> > -- >> > Gustavo Berman >> > Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA >> >> > > -- > Gustavo Berman > Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA > -- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure