Armstrong, Kenneth Lawrence wrote:
On Tue, 2013-07-23 at 17:13 +0000, Armstrong, Kenneth Lawrence wrote:
On Tue, 2013-07-23 at 13:23 +0000, Armstrong, Kenneth Lawrence wrote:
On Mon, 2013-07-22 at 17:49 -0400, Rob Crittenden wrote:
Armstrong, Kenneth Lawrence wrote:
> On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote:
>> On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:
>>> Armstrong, Kenneth Lawrence wrote:
>>> > Hi all,
>>> >
>>> > I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
>>> > and RHEL 4 clients as well, so I was going to test that out.
>>> >
>>> > However, I can not get a RHEL 5.9 client to join the domain.
>>> >
>>> > [root@r5-idmclient <mailto:root@r5-idmclient> ~]# ipa-client-install
>>> > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
>>> > root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
>>> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
>>> > This may mean that the remote server is not up or is not reachable
>>> > due to network or firewall settings.
>>> > Installation failed. Rolling back changes.
>>> > IPA client is not configured on this system.
>>> >
>>> >
>>> > Digging a little bit and I see that the ipa-client is an older version:
>>> >
>>> > ipa-client-2.1.3-5.el5_9.2
>>> >
>>> > Doing a yum update/upgrade doesn't show a newer version.
>>> >
>>> > I was considering a manual installation, but the ipa-admintools don't
>>> > appear to be available for RHEL 5.9?
>>> >
>>> > Is there a way to make this work?
>>>
>>> I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
>>> should be possible to use the 2.1.3 client in EL 5 to enroll against a
>>> 3.x server.
>>>
>>> Otherwise we probably need more context from
>>> /var/log/ipaclient-install.log to see how the CA was retrieved.
>>>
>>> rob
>>>
>>
>> Thanks for the tip.  I tried it again, and it still failed.  End of
>> the log:
>>
>> [root@r5-idmclient <mailto:root@r5-idmclient> ~]# tail -20
>> /var/log/ipaclient-install.log
>>   lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU
>>
>>
>> 2013-07-22 13:45:36,982 DEBUG args=kinit
>>ad...@lnxrealmtest.liberty.edu  <mailto:ad...@lnxrealmtest.liberty.edu>  
<mailto:ad...@lnxrealmtest.liberty.edu>
>> 2013-07-22 13:45:36,983 DEBUG stdout=Password for
>>ad...@lnxrealmtest.liberty.edu  <mailto:ad...@lnxrealmtest.liberty.edu>  
<mailto:ad...@lnxrealmtest.liberty.edu>:
>>
>> 2013-07-22 13:45:36,983 DEBUG stderr=
>> 2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from
>> ldap://lnxrealmtest01.liberty.edu
>> 2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
>>     Subject:     /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
>>     Issuer:      /DC=edu/DC=liberty/CN=LUPKI01
>>
>> 2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s
>> lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
>> 2013-07-22 13:45:37,345 DEBUG stdout=
>> 2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the
>> HTTP POST transaction.  SSL certificate problem, verify that the CA
>> cert is OK. Details:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed
>>
>> 2013-07-22 13:45:37,490 DEBUG args=kdestroy
>> 2013-07-22 13:45:37,491 DEBUG stdout=
>> 2013-07-22 13:45:37,491 DEBUG stderr=
>> _______________________________________________
>> Freeipa-users mailing list
>>Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>   
<mailto:Freeipa-users@redhat.com>
>>https://www.redhat.com/mailman/listinfo/freeipa-users
>
> I just stood up a brand new RHEL 6 client, and it works just fine, so
> there is something amiss with RHEL 5 on this.  The time on the RHEL 5
> client and the RHEL 6 IdM server is the same, and the cert is valid, so
> I don't know why the RHEL 5 system does not like the cert.  Could it be
> something with the versions of packages installed on it?
>
> libipa_hbac-1.5.1-58.el5
> ipa-client-2.1.3-5.el5_9.2
> curl-7.15.5-17.el5_9
> openssl-0.9.8e-26.el5_9.1

I have the feeling that OpenSSL doesn't like your CA certificate for
some reason.

Can you try this:

# openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile
/etc/ipa/ca.crt

Adding the -debug flag will add even more output.

rob

[klarmstrong2@r6-idmclient <mailto:klarmstrong2@r6-idmclient> ~]$
sudo openssl s_client -host lnxrealmtest01.liberty.edu -port 443
-CAfile /etc/ipa/ca.crt
[sudo] password for klarmstrong2:
CONNECTED(00000003)
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
   i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
   i:/DC=edu/DC=liberty/CN=LUPKI01
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2629 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
0D52FB7937A013C4F0F26E77B24A6133DB3B6D760BD1C65F0010A326A195FDEE
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374585629
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)


So it doesn't like it, yet I can still add a RHEL 6 client?  Is there
more stringent checking with the version of OpenSSL in RHEL 5?

-Kenny
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

Ok, I am having troubles making sense of this.

First, I checked the CA cert chain that I downloaded from our PKI
server to see if it's cool:

[root@lnxrealmtest01 <mailto:root@lnxrealmtest01> ~]# openssl s_client
-host lupki01.liberty.edu -port 443 -CAfile /root/CACert.cer
CONNECTED(00000003)
depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
Inc.", CN = GTE CyberTrust Global Root
verify return:1
depth=1 DC = edu, DC = liberty, CN = LUPKI01
verify return:1
depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
Microsoft Team, CN = lupki01.liberty.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
Team/CN=lupki01.liberty.edu
   i:/DC=edu/DC=liberty/CN=LUPKI01
1 s:/DC=edu/DC=liberty/CN=LUPKI01
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
Team/CN=lupki01.liberty.edu
issuer=/DC=edu/DC=liberty/CN=LUPKI01
---
No client certificate CA names sent
---
SSL handshake has read 2990 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID:
A917000003331BFAE02105066148E731DC3585E81DAD9AA18F9D0AAC71F4E0B1
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598158
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

^C
[root@lnxrealmtest01 <mailto:root@lnxrealmtest01> ~]# ls
anaconda-ks.cfg  ca-agent.p12  CACert.cer  cacert.p12  CACert.p7b
install.log  install.log.syslog  ipa.cer  ipa.csr
[root@lnxrealmtest01 <mailto:root@lnxrealmtest01> ~]# openssl s_client
-host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
CONNECTED(00000003)
depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
Inc.", CN = GTE CyberTrust Global Root
verify return:1
depth=1 DC = edu, DC = liberty, CN = LUPKI01
verify return:1
depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
Microsoft Team, CN = lupki01.liberty.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
Team/CN=lupki01.liberty.edu
   i:/DC=edu/DC=liberty/CN=LUPKI01
1 s:/DC=edu/DC=liberty/CN=LUPKI01
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
Team/CN=lupki01.liberty.edu
issuer=/DC=edu/DC=liberty/CN=LUPKI01
---
No client certificate CA names sent
---
SSL handshake has read 2990 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID:
4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598365
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


Next, I check the cert that was issued by our local CA:


[root@lnxrealmtest01 <mailto:root@lnxrealmtest01> ~]# openssl s_client
-host lupki01.liberty.edu -port 443 -CAfile /root/ipa.cer
CONNECTED(00000003)
depth=2 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions,
Inc.", CN = GTE CyberTrust Global Root
verify return:1
depth=1 DC = edu, DC = liberty, CN = LUPKI01
verify return:1
depth=0 C = US, ST = VA, L = Lynchburg, O = Liberty University, OU =
Microsoft Team, CN = lupki01.liberty.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
Team/CN=lupki01.liberty.edu
   i:/DC=edu/DC=liberty/CN=LUPKI01
1 s:/DC=edu/DC=liberty/CN=LUPKI01
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=VA/L=Lynchburg/O=Liberty University/OU=Microsoft
Team/CN=lupki01.liberty.edu
issuer=/DC=edu/DC=liberty/CN=LUPKI01
---
No client certificate CA names sent
---
SSL handshake has read 2990 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID:
4F0B000037034E3D42400ACC911678D620D40CAB231E403B888A449C2A95F6CA
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598365
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


So all that looks good, but I check the certificate against the IPA
server, and it fails:




[root@lnxrealmtest01 <mailto:root@lnxrealmtest01> ~]# openssl s_client
-host lnxrealmtest01.liberty.edu -port 443 -CAfile /root/CACert.cer
CONNECTED(00000003)
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = LNXREALMTEST.LIBERTY.EDU, CN = lnxrealmtest01.liberty.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
   i:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
1 s:/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
   i:/DC=edu/DC=liberty/CN=LUPKI01
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/O=LNXREALMTEST.LIBERTY.EDU/CN=lnxrealmtest01.liberty.edu
issuer=/O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2629 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
0D58B89B946578D2883CE2F306E66E5D638B152A96360C8BC69F7BB7A38F430D
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1374598420
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---


So I get it that it would fail against the IPA server, since it didn't
issue it.  But what I don't understand is that if the certificate is
inherently ok, then why does it fail when I try to install the RHEL 5
client?


-Kenny
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

I think that there is still something funky with the way RHEL 5 works
with the SSL cert for IPA.

I tried the client install again, using the exact CA certificate that I
used when setting up the original IdM server, and tried to force the
installation:

[root@r5-idmclient <mailto:root@r5-idmclient> ~]# ipa-client-install
--domain linuxrealm.liberty.edu --ca-cert-file=/root/CACert.cer --force
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex: ipa.example.com):
lnxrealmtest01.liberty.edu
root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Force set so not rolling back changes.

It still looks like it tries to verify anyway, which of course fails.

-Kenny

--force doesn't cause it to skip SSL verification.

Comparing RHEL 5 to 6 is comparing apples to oranges since they use different crypto libraries (OpenSSL vs NSS). It is an interesting data point though.

Had you been using an older version of OpenSSL I would have suspected that was the problem, but since you're using the latest I'm not sure what the issue is.

Can you verify that the full chain is being sent? openssl s_client -showcerts

Is your IPA CA certificate signed by another authority (e.g. an external CA installation)?

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to