[Freeipa] [Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert
[Expired for freeipa (Ubuntu) because there has been no activity for 60 days.] ** Changed in: freeipa (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1635568 Title: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert Status in freeipa package in Ubuntu: Expired Bug description: Ubuntu version - Ubuntu 14.04.5 LTS freeipa-client package version - 3.3.4-0ubuntu3.1 What is expected: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Discovery was successful! Client hostname: ip-10-5-0-73.eu-west-1.compute.internal Realm: ID.DOMAIN.COM DNS Domain: id.domain.com IPA Server: directory.id.domain.com BaseDN: dc=id,dc=domain,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: enroll.user Password for enroll.u...@id.domain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ID.DOMAIN.COM Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM Valid From: Wed Oct 19 14:54:08 2016 UTC Valid Until: Sun Oct 19 14:54:08 2036 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Enrolled in IPA realm ID.DOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM trying https://directory.id.domain.com/ipa/json Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to json server 'https://directory.id.domain.com/ipa/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring id.domain.com as NIS domain. Client configuration complete. What happend instead: root@ip-10-5-0-73:/home/ubuntu#
[Freeipa] [Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert
Hi Timo, Georgijs, In our setup we use Let's Encrypt certificates for HTTPS/LDAPS and the solution was to add the "DST Root CA X3" to NSS database at "/etc/pki/nssdb". I used the following command to do it: $ certutil -A -n "DST Root CA X3" -t "C,," -i /etc/ssl/certs/DST_Root_CA_X3.pem -d sql:/etc/pki/nssdb The strange part of the story that this is not necessary on Ubuntu 16.04 to have successful ipa-client-install. Maybe the 4.x version of FreeIPA has different method(s) for CA certificate retrieval or validation. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1635568 Title: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert Status in freeipa package in Ubuntu: Incomplete Bug description: Ubuntu version - Ubuntu 14.04.5 LTS freeipa-client package version - 3.3.4-0ubuntu3.1 What is expected: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Discovery was successful! Client hostname: ip-10-5-0-73.eu-west-1.compute.internal Realm: ID.DOMAIN.COM DNS Domain: id.domain.com IPA Server: directory.id.domain.com BaseDN: dc=id,dc=domain,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: enroll.user Password for enroll.u...@id.domain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ID.DOMAIN.COM Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM Valid From: Wed Oct 19 14:54:08 2016 UTC Valid Until: Sun Oct 19 14:54:08 2036 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Enrolled in IPA realm ID.DOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM trying https://directory.id.domain.com/ipa/json Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding
[Freeipa] [Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert
Hello, Timo! Sorry, forgot to mention in "What is expected" tested Ubuntu version. "What is expected" ipa-client-install was tested on Ubuntu 16.04 clients, and it worked. The problem is, that 3/4 of our server infrastructure is running Ubuntu 14.04. We're planning to gradually move to 16.04, but for now, I just wanted to know, if it is possible to use 3rd party certificates with FreeIPA and Ubuntu 14.04 clients. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1635568 Title: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert Status in freeipa package in Ubuntu: Incomplete Bug description: Ubuntu version - Ubuntu 14.04.5 LTS freeipa-client package version - 3.3.4-0ubuntu3.1 What is expected: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Discovery was successful! Client hostname: ip-10-5-0-73.eu-west-1.compute.internal Realm: ID.DOMAIN.COM DNS Domain: id.domain.com IPA Server: directory.id.domain.com BaseDN: dc=id,dc=domain,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: enroll.user Password for enroll.u...@id.domain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ID.DOMAIN.COM Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM Valid From: Wed Oct 19 14:54:08 2016 UTC Valid Until: Sun Oct 19 14:54:08 2036 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Enrolled in IPA realm ID.DOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM trying https://directory.id.domain.com/ipa/json Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to json server 'https://directory.id.domain.com/ipa/json' Could not update DNS SSHFP
[Freeipa] [Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert
if you have /etc/ipa/ca.crt, try removing it and ipa-client-install again -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1635568 Title: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert Status in freeipa package in Ubuntu: Incomplete Bug description: Ubuntu version - Ubuntu 14.04.5 LTS freeipa-client package version - 3.3.4-0ubuntu3.1 What is expected: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Discovery was successful! Client hostname: ip-10-5-0-73.eu-west-1.compute.internal Realm: ID.DOMAIN.COM DNS Domain: id.domain.com IPA Server: directory.id.domain.com BaseDN: dc=id,dc=domain,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: enroll.user Password for enroll.u...@id.domain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ID.DOMAIN.COM Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM Valid From: Wed Oct 19 14:54:08 2016 UTC Valid Until: Sun Oct 19 14:54:08 2036 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Enrolled in IPA realm ID.DOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM trying https://directory.id.domain.com/ipa/json Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to json server 'https://directory.id.domain.com/ipa/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring id.domain.com as NIS domain. Client configuration complete. What happend instead: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Using existing certificate
[Freeipa] [Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert
I have the same issue with FreeIPA deployment on Ubuntu 14.04.5 LTS. I have FreeIPA 4.3.x on the server side with Let's Encrypt certificates installed for HTTPS and LDAPS services. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1635568 Title: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert Status in freeipa package in Ubuntu: Confirmed Bug description: Ubuntu version - Ubuntu 14.04.5 LTS freeipa-client package version - 3.3.4-0ubuntu3.1 What is expected: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Discovery was successful! Client hostname: ip-10-5-0-73.eu-west-1.compute.internal Realm: ID.DOMAIN.COM DNS Domain: id.domain.com IPA Server: directory.id.domain.com BaseDN: dc=id,dc=domain,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: enroll.user Password for enroll.u...@id.domain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ID.DOMAIN.COM Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM Valid From: Wed Oct 19 14:54:08 2016 UTC Valid Until: Sun Oct 19 14:54:08 2036 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Enrolled in IPA realm ID.DOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM trying https://directory.id.domain.com/ipa/json Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to json server 'https://directory.id.domain.com/ipa/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring id.domain.com as NIS domain. Client configuration complete. What happend instead:
[Freeipa] [Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1635568 Title: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert Status in freeipa package in Ubuntu: Confirmed Bug description: Ubuntu version - Ubuntu 14.04.5 LTS freeipa-client package version - 3.3.4-0ubuntu3.1 What is expected: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Discovery was successful! Client hostname: ip-10-5-0-73.eu-west-1.compute.internal Realm: ID.DOMAIN.COM DNS Domain: id.domain.com IPA Server: directory.id.domain.com BaseDN: dc=id,dc=domain,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: enroll.user Password for enroll.u...@id.domain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ID.DOMAIN.COM Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM Valid From: Wed Oct 19 14:54:08 2016 UTC Valid Until: Sun Oct 19 14:54:08 2036 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Enrolled in IPA realm ID.DOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM trying https://directory.id.domain.com/ipa/json Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to json server 'https://directory.id.domain.com/ipa/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring id.domain.com as NIS domain. Client configuration complete. What happend instead: root@ip-10-5-0-73:/home/ubuntu#
