On 11/07/2016 04:45 PM, Alessandro De Maria wrote:
Hi Martin,

I tried from the host I am executing the script from, and I get:
certutil -L -d /etc/httpd/alias/
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.


From the FreeIPA server, as I said previously, I get:

certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust
Attributes

 SSL,S/MIME,JAR/XPI

Signing-Cert                                                 u,u,u
ipaCert                                                      u,u,u
Server-Cert                                                  u,u,u
PROD.XXXXXXXXXXXXX.COM <http://prod.xxxxxxxxxxxxx.com/> IPA CA
                     CT,C,C


From the FreeIPA server, I seem to be able to run the script, so we are
definitely on the right track.
How do I get the /etc/httpd/alias/ in sync across these hosts? can I
copy it, or is there a way to regenerate it?

Regards
Alessandro

On 7 November 2016 at 15:36, Alessandro De Maria
<alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com>> wrote:

    Hi Martin, this is the output from the id1 host:

    certutil -L -d /etc/httpd/alias/

    Certificate Nickname                                         Trust
    Attributes

     SSL,S/MIME,JAR/XPI

    Signing-Cert                                                 u,u,u
    ipaCert                                                      u,u,u
    Server-Cert                                                  u,u,u
    PROD.XXXXXXXXXXXXX.COM <http://PROD.XXXXXXXXXXXXX.COM> IPA CA
                             CT,C,C


    looks just like you suggested. Any other suggestion?

    On 7 November 2016 at 10:56, Martin Babinsky <mbabi...@redhat.com
    <mailto:mbabi...@redhat.com>> wrote:

        On 11/04/2016 04:52 PM, Alessandro De Maria wrote:

            Hello,

            I have a FreeIPA installation that is working very nicely,
            we already
            have configured many hosts and so far we are quite happy
            with it.

            I was trying to connect Ansible to fetch hosts from FreeIPA
            using the
            freeipa.py script
            
(https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py
            
<https://github.com/ansible/ansible/blob/devel/contrib/inventory/freeipa.py>)

            Unfortunately when I run it, I get the following:

            *ipa: ERROR: cert validation failed for
            "CN=id1.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
            <http://PROD.xxxxxxxx.COM>
            <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
            certificate issuer has been marked as not trusted by the user.)*
            *ipa: ERROR: cert validation failed for
            "CN=id2.prod.**xxxxxxxx**.com,O=PROD.xxxxxxxx.COM
            <http://PROD.xxxxxxxx.COM>
            <http://PROD.xxxxxxxx.COM>" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
            certificate issuer has been marked as not trusted by the user.)*
            *Traceback (most recent call last):*
            *  File "./freeipa.py", line 82, in <module>*
            *    api = initialize()*
            *  File "./freeipa.py", line 17, in initialize*
            *    api.Backend.rpcclient.connect()*
            *  File
            "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 66,
            in connect*
            *    conn = self.create_connection(*args, **kw)*
            *  File "/usr/lib/python2.7/dist-packages/ipalib/rpc.py",
            line 939, in
            create_connection*
            *    error=', '.join(urls))*
            *ipalib.errors.NetworkError: cannot connect to 'any of the
            configured
            servers': https://id1.prod.**xxxxxxxx**.com/ipa/json,
            https://id2.prod.**xxxxxxxx**.com/ipa/json*


            If I curl the URL, it works just fine ( I imported the CA
            Certificate in
            the system directory /etc/ssl/certs).

            I have run `openssl s_client` connect and downloaded the remote
            certificate locally, then I run:

            # openssl verify cert.pem
            # *id1.prod.**xxxxxxxx**.com.pem*: OK


            Would you help me figure out what's going on?



            --
            Alessandro De Maria
            alessandro.dema...@gmail.com
            <mailto:alessandro.dema...@gmail.com>
            <mailto:alessandro.dema...@gmail.com
            <mailto:alessandro.dema...@gmail.com>>



        Hi Alessandro,

        this error can mean that the CA certificate in IPA NSS database
        has wrong trust flags set. Please make sure that there is IPA CA
        certificate present on /etc/httpd/alias and it has trust flags
        CT,C,C like this:

        # certutil -L -d /etc/httpd/alias/

        Certificate Nickname
         Trust Attributes

        SSL,S/MIME,JAR/XPI

        ipaCert                                                      u,u,u
        Server-Cert                                                  u,u,u
        <$REALM> IPA CA                                              CT,C,C

        --
        Martin^3 Babinsky

        --
        Manage your subscription for the Freeipa-users mailing list:
        https://www.redhat.com/mailman/listinfo/freeipa-users
        <https://www.redhat.com/mailman/listinfo/freeipa-users>
        Go to http://freeipa.org for more info on the project




    --
    Alessandro De Maria
    alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com>




--
Alessandro De Maria
alessandro.dema...@gmail.com <mailto:alessandro.dema...@gmail.com>

Alessandro,

I have just realized that this may be client-side problem. On the executor you may need to import CA certificate from IPA server to local /etc/ipa/nssdb and/or copy it into /etc/ipa/ca.crt as PEM file.

Or you can just enroll the node as IPA client and it will set up all this stuff for you.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to