Sigbjorn Lie wrote:
On what machine are you trying to use the ipa tool? Is it one of the
masters, all of them, enrolled clients?

It's the same error message when the "ipa" command is run directly on any of 
the masters.

And it's the same error message if I run the "ipa" command on any of the 

I do not have a working "ipa" command anywhere anymore.

Ok, let's test out the cert that ipa is using. Try this on any one of the masters:

$ curl https://`hostname`/ipa/xml
Should fail with Peer certificate cannot be authenticated with known CA certificates

$ curl --cacert /etc/ipa/ca.crt https://`hostname`/ipa/xml
Should succeed in that you get the "you are not logged in" HTML page

Ok, now unfortunately curl only handles the sql-style NSS databases so we can't fully reproduce it the same way that the IPA client is doing things, but here is an approximation:

# certutil -A -d sql:/etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
$ curl https://`hostname`/ipa/xml
You should see the login page HTML

If you stick a -v in there it'll give you more verbose output which would be useful if any of these fail in an unexpected way.

Whatever is going on isn't likely related to the web server Apache
database as you get the same error out of each one. The client log you sent 
confirmed that it tried
to contact each master. The SSL error we're getting is that the client doesn't 
trust the CA that
signed the server certificate so this appears to be a problem on the client, 
which begs the
question: all clients or just this one?

All clients.

NSS is smart enough to handle multiple certificates, it should pick the
newest one on startup.


Where do you suggest I continue troubleshooting this issue?

We can also tackle this on the server side. Let's verify the server cert:

# certutil -V -u V -n Server-Cert -d /etc/httpd/alias

This is verified on server startup so I expect it to be valid, but doesn't hurt to try.

Restarting the Apache process might be something to try as changes to the NSS database aren't picked up until a restart.

Freeipa-users mailing list

Reply via email to