On Wed, 17 Jun 2015, Piotr Baranowski wrote:
I have a challenging setup i need some help with.
EXTERNAL CLIENTS <-> INTERNET <-> SERVER <-> IPA <-> INTERNAL CLIENTS
There is no problem with Internal clients. They register/enroll and then work
like a charm.
The challenge is how external access IPA server.
Firewall does a DNAT from external interface to internal one
DNATed services are:
I'm using apache with mod_proxy config to pass http/https traffic from clients
to actual ipa server.
It's done using following config:
ProxyPass / http://A.B.C.D/ timeout=300 keepalive=On
ProxyPass / https://A.B.C.D/ timeout=300 keepalive=On
DNS SRV records are setup correctly and autodiscovery works.
When I run ipa-client-install --mkhomedir i get a nicely working setup.
External clients complain about ssl cert:
[root@biuro1 ~]# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Using existing certificate '/etc/ipa/ca.crt'.
Discovery was successful!
DNS Domain: osec.pl
IPA Server: id.osec.pl
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please
check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for ad...@osec.pl :
Joining realm failed: libcurl failed to execute the HTTP POST transaction,
explaining: Peer's certificate issuer has been marked as not trusted by the
It seems that client does not like the cert presented by "proxying" server.
Am I doing something fundamentally wrong here?
Can registration process be proxied by apache/mod_proxy?
So you have two different certificates in use here and your client
doesn't know about the other certificate (from your proxy). You need
either to deliver that certificate to the client by yourself or change
your proxying technology to something different.
For example, you can use sniproxy which doesn't require in-the-middle
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project