Chris Kross via FreeIPA-users wrote: > Hello to all! > > I'm trying a lot, to setup a Firewall vpn login with certificates generated > by the FreeIPA server, but i´m stucked now. > I have the user certificate generated by the FreeIPA and the firewall > generate the CSR then imported on the FreeIPA server, and download the pem > generated by the UI and imported again in the Firewall and the firewall match > the sign certificate. > But when we try to connect to the VPN using certificates, the debug shows: > > fnbamd_auth_cert_result-Result for ldap svr[0] 'fripa.domain.net' is DENY > auth_cert_success-Matched user name 'CA-Ldaps', matched group name > 'CA-Ldapgrp' > fnbamd_comm_send_result-Sending result 1 (error 0, nid 672) for req 454599539 > delete_group_list-Delete group CA-Ldapgrp > ike 3:C2-HQ_DCI:50: certificate validation failed > >>From the firewall we can test the Ldaps users and passwords and the test is >>OK. > > Thnks to all for any advice! >
My guess is something doesn't trust or know about the IPA CA chain. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
