Hi Martin, this is the output from the id1 host:

certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust
Attributes

 SSL,S/MIME,JAR/XPI

Signing-Cert                                                 u,u,u
ipaCert                                                      u,u,u
Server-Cert                                                  u,u,u
PROD.XXXXXXXXXXXXX.COM IPA CA                                CT,C,C


looks just like you suggested. Any other suggestion?

On 7 November 2016 at 10:56, Martin Babinsky <mbabi...@redhat.com> wrote:

> On 11/04/2016 04:52 PM, Alessandro De Maria wrote:
>
>> Hello,
>>
>> I have a FreeIPA installation that is working very nicely, we already
>> have configured many hosts and so far we are quite happy with it.
>>
>> I was trying to connect Ansible to fetch hosts from FreeIPA using the
>> freeipa.py script
>> (https://github.com/ansible/ansible/blob/devel/contrib/inven
>> tory/freeipa.py)
>>
>> Unfortunately when I run it, I get the following:
>>
>> *ipa: ERROR: cert validation failed for
>> "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
>> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
>> certificate issuer has been marked as not trusted by the user.)*
>> *ipa: ERROR: cert validation failed for
>> "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
>> <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
>> certificate issuer has been marked as not trusted by the user.)*
>> *Traceback (most recent call last):*
>> *  File "./freeipa.py", line 82, in <module>*
>> *    api = initialize()*
>> *  File "./freeipa.py", line 17, in initialize*
>> *    api.Backend.rpcclient.connect()*
>> *  File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66,
>> in connect*
>> *    conn = self.create_connection(*args, **kw)*
>> *  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py", line 939, in
>> create_connection*
>> *    error=', '.join(urls))*
>> *ipalib.errors.NetworkError: cannot connect to 'any of the configured
>> servers': https://id1.prod.**xxxxxxxx**.com/ipa/json,
>> https://id2.prod.**xxxxxxxx**.com/ipa/json*
>>
>>
>> If I curl the URL, it works just fine ( I imported the CA Certificate in
>> the system directory /etc/ssl/certs).
>>
>> I have run `openssl s_client` connect and downloaded the remote
>> certificate locally, then I run:
>>
>> # openssl verify cert.pem
>> # *id1.prod.**xxxxxxxx**.com.pem*: OK
>>
>>
>> Would you help me figure out what's going on?
>>
>>
>>
>> --
>> Alessandro De Maria
>> alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com>
>>
>>
>>
> Hi Alessandro,
>
> this error can mean that the CA certificate in IPA NSS database has wrong
> trust flags set. Please make sure that there is IPA CA certificate present
> on /etc/httpd/alias and it has trust flags CT,C,C like this:
>
> # certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname                                         Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> ipaCert                                                      u,u,u
> Server-Cert                                                  u,u,u
> <$REALM> IPA CA                                              CT,C,C
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
Alessandro De Maria
alessandro.dema...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to