On Mon, 2013-07-22 at 17:49 -0400, Rob Crittenden wrote:

Armstrong, Kenneth Lawrence wrote:
> On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote:
>> On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:
>>> Armstrong, Kenneth Lawrence wrote:
>>> > Hi all,
>>> >
>>> > I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
>>> > and RHEL 4 clients as well, so I was going to test that out.
>>> >
>>> > However, I can not get a RHEL 5.9 client to join the domain.
>>> >
>>> > [root@r5-idmclient <mailto:root@r5-idmclient> ~]# ipa-client-install
>>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>>> > root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
>>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>>> > This may mean that the remote server is not up or is not reachable
>>> > due to network or firewall settings.
>>> > Installation failed. Rolling back changes.
>>> > IPA client is not configured on this system.
>>> >
>>> >
>>> > Digging a little bit and I see that the ipa-client is an older version:
>>> >
>>> > ipa-client-2.1.3-5.el5_9.2
>>> >
>>> > Doing a yum update/upgrade doesn't show a newer version.
>>> >
>>> > I was considering a manual installation, but the ipa-admintools don't
>>> > appear to be available for RHEL 5.9?
>>> >
>>> > Is there a way to make this work?
>>>
>>> I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
>>> should be possible to use the 2.1.3 client in EL 5 to enroll against a
>>> 3.x server.
>>>
>>> Otherwise we probably need more context from
>>> /var/log/ipaclient-install.log to see how the CA was retrieved.
>>>
>>> rob
>>>
>>
>> Thanks for the tip.  I tried it again, and it still failed.  End of
>> the log:
>>
>> [root@r5-idmclient <mailto:root@r5-idmclient> ~]# tail -20
>> /var/log/ipaclient-install.log
>>   lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU
>>
>>
>> 2013-07-22 13:45:36,982 DEBUG args=kinit
>> ad...@lnxrealmtest.liberty.edu<mailto:ad...@lnxrealmtest.liberty.edu> 
>> <mailto:ad...@lnxrealmtest.liberty.edu>
>> 2013-07-22 13:45:36,983 DEBUG stdout=Password for
>> ad...@lnxrealmtest.liberty.edu<mailto:ad...@lnxrealmtest.liberty.edu> 
>> <mailto:ad...@lnxrealmtest.liberty.edu>:
>>
>> 2013-07-22 13:45:36,983 DEBUG stderr=
>> 2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from
>> ldap://lnxrealmtest01.liberty.edu
>> 2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
>>     Subject:     /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>     Issuer:      /DC=edu/DC=liberty/CN=LUPKI01
>>
>> 2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s
>> lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
>> 2013-07-22 13:45:37,345 DEBUG stdout=
>> 2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the
>> HTTP POST transaction.  SSL certificate problem, verify that the CA
>> cert is OK. Details:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed
>>
>> 2013-07-22 13:45:37,490 DEBUG args=kdestroy
>> 2013-07-22 13:45:37,491 DEBUG stdout=
>> 2013-07-22 13:45:37,491 DEBUG stderr=
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>  
>> <mailto:Freeipa-users@redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> I just stood up a brand new RHEL 6 client, and it works just fine, so
> there is something amiss with RHEL 5 on this.  The time on the RHEL 5
> client and the RHEL 6 IdM server is the same, and the cert is valid, so
> I don't know why the RHEL 5 system does not like the cert.  Could it be
> something with the versions of packages installed on it?
>
> libipa_hbac-1.5.1-58.el5
> ipa-client-2.1.3-5.el5_9.2
> curl-7.15.5-17.el5_9
> openssl-0.9.8e-26.el5_9.1

I have the feeling that OpenSSL doesn't like your CA certificate for
some reason.

Can you try this:

# openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile
/etc/ipa/ca.crt

Adding the -debug flag will add even more output.

rob


[klarmstrong2@r6-idmclient<mailto:klarmstrong2@r6-idmclient> ~]$ sudo openssl 
s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile /etc/ipa/ca.crt
[sudo] password for klarmstrong2:
CONNECTED(00000003)
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
   i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
   i:/DC=edu/DC=liberty/CN=LUPKI01
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2629 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 0D52FB7937A013C4F0F26E77B24A6133DB3B6D760BD1C65F0010A326A195FDEE
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374585629
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)


So it doesn't like it, yet I can still add a RHEL 6 client?  Is there more 
stringent checking with the version of OpenSSL in RHEL 5?

-Kenny
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to