On 12/08/2014 08:00 PM, Megan . wrote: > I looked through the logs on the server and i see the below error in > the apache error log when i try to register a client: > > [Mon Dec 08 12:20:38 2014] [error] SSL Library Error: -12195 Peer does > not recognize and trust the CA that issued your certificate > > > I ran ipa-getcert list and everything seems ok (nothing expired) but > i'm not sure where to troubleshoot from here.
The next step would be to check the actual HTTP certificate (on the client machine) and see what's wrong. I did a simple test you can follow: # wget http://ipa.mkosek-f21.test/ipa/config/ca.crt -O /tmp/ipa.crt # openssl s_client -host ipa.mkosek-f21.test -port 443 -CAfile /tmp/ipa.crt CONNECTED(00000003) depth=1 O = MKOSEK-F21.TEST, CN = Certificate Authority verify return:1 depth=0 O = MKOSEK-F21.TEST, CN = ipa.mkosek-f21.test verify return:1 --- Certificate chain 0 s:/O=MKOSEK-F21.TEST/CN=ipa.mkosek-f21.test i:/O=MKOSEK-F21.TEST/CN=Certificate Authority 1 s:/O=MKOSEK-F21.TEST/CN=Certificate Authority i:/O=MKOSEK-F21.TEST/CN=Certificate Authority --- Server certificate ... SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA Session-ID: 5A4B326D2E8FB80408D628D1975C49C4F78D3E65F31E475F9E7B9BBBE11F576E Session-ID-ctx: Master-Key: D5C31E9E36503ADC9F162439B41A7A608260D7DF5EB357FB3D79C9CFAE700912526893E7DD9AA56F5B6CD320FBA98C49 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1418073191 Timeout : 300 (sec) Verify return code: 0 (ok) --- > > > > On Fri, Dec 5, 2014 at 7:51 PM, Megan . <[email protected]> wrote: >> It failed again. >> >> >> [root@cache2-uat ~]# certutil -L -d sql:/etc/pki/nssdb >> >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> [root@cache2-uat ~]# >> >> Not sure if its related, but on the directory server in the apache >> error.log I see the below every time a client tries to register: >> >> [Sat Dec 06 00:48:35 2014] [error] SSL Library Error: -12271 SSL >> client cannot verify your certificate >> >> On the directory server i ran ipa-getcert list and the certs seem ok. >> >> >> >> On Fri, Dec 5, 2014 at 5:10 PM, Rob Crittenden <[email protected]> wrote: >>> Megan . wrote: >>>> Sorry for being unclear. It still fails. Same error. >>> >>> Hmm, strange. Try being explicit about sql: >>> >>> # certutil -L -d sql:/etc/pki/nssdb >>> >>> And if there is a CA cert there, delete it. >>> >>> rob >>> >>>> >>>> On Dec 5, 2014 4:39 PM, "Rob Crittenden" <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Megan . wrote: >>>> > Thanks. >>>> > >>>> > I did have an issue last week where i tried to do the client install >>>> > and it failed because of a firewall issue. Networks has it opened >>>> > now. I deleted ca.crt before trying again. There doesn't seem to be >>>> > a certificate in /etc/pki/nssdb for it. >>>> > >>>> > >>>> > >>>> > [root@data2-uat ipa]# certutil -L -d /etc/pki/nssdb >>>> > >>>> > >>>> > Certificate Nickname Trust >>>> Attributes >>>> > >>>> > >>>> SSL,S/MIME,JAR/XPI >>>> > >>>> > >>>> > [root@data2-uat ipa]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb >>>> > >>>> > certutil: could not find certificate named "IPA CA": >>>> > SEC_ERROR_BAD_DATABASE: security library: bad database. >>>> > >>>> > [root@data2-uat ipa]# ls >>>> > >>>> > [root@data2-uat ipa]# pwd >>>> > >>>> > /etc/ipa >>>> > >>>> > [root@data2-uat ipa]# ls -al >>>> > >>>> > total 16 >>>> > >>>> > drwxr-xr-x. 2 root root 4096 Dec 5 21:16 . >>>> > >>>> > drwxr-xr-x. 82 root root 12288 Dec 5 21:16 .. >>>> > >>>> > [root@data2-uat ipa]# >>>> >>>> So trying to install the client again fails or succeeds now? >>>> >>>> rob >>>> >>>> > >>>> > On Fri, Dec 5, 2014 at 4:03 PM, Rob Crittenden >>>> <[email protected] <mailto:[email protected]>> wrote: >>>> >> Rob Crittenden wrote: >>>> >>> Megan . wrote: >>>> >>>> Good Day! >>>> >>>> >>>> >>>> I am getting an error when i register new clients. >>>> >>>> >>>> >>>> libcurl failed to execute the HTTP POST transaction. SSL >>>> connect error >>>> >>>> >>>> >>>> I can't find anything useful not the internet about the error. >>>> Can >>>> >>>> someone help me troubleshoot? >>>> >>>> >>>> >>>> CentOS 6.6 x64 >>>> >>>> ipa-client-3.0.0-42.el6.centos.x86_64 >>>> >>>> ipa-server-3.0.0-42.el6.centos.x86_64 >>>> >>>> curl-7.19.7-40.el6_6.1.x86_64 >>>> >>> >>>> >>> Do you have NSS_DEFAULT_DB_TYPE set to sql? I don't know that >>>> we've done >>>> >>> any testing on the client with this set. >>>> >> >>>> >> Never mind, that's not it. The problem is: >>>> >> >>>> >> * NSS error -8054 >>>> >> >>>> >> Which is SEC_ERROR_REUSED_ISSUER_AND_SERIAL >>>> >> >>>> >> So I'd do this: >>>> >> >>>> >> # rm /etc/ipa/ca.crt >>>> >> >>>> >> You may also want to ensure that the IPA CA certificate isn't in >>>> >> /etc/pki/nssdb: >>>> >> >>>> >> # certutil -L -d /etc/pki/nssdb >>>> >> >>>> >> And then perhaps >>>> >> >>>> >> # certutil -D -n 'IPA CA' -d /etc/pki/nssdb >>>> >> >>>> >> rob >>>> >> >>>> >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
