← Back to team overview

freeipa team mailing list archive

  1. freeipa team
  2. Mailing list archive
  3. Message #00430

[Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert

  Thread PreviousDate PreviousThread Next 
I have the same issue with FreeIPA deployment on Ubuntu 14.04.5 LTS. I
have FreeIPA 4.3.x on the server side with Let's Encrypt certificates
installed for HTTPS and LDAPS services.

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1635568

Title:
  freeipa-client - Can't enroll a client if server has external CA certs
  in addition to self signed CA cert

Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu version - Ubuntu 14.04.5 LTS
  freeipa-client package version - 3.3.4-0ubuntu3.1

  What is expected:

  root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir
  Discovery was successful!
  Client hostname: ip-10-5-0-73.eu-west-1.compute.internal
  Realm: ID.DOMAIN.COM
  DNS Domain: id.domain.com
  IPA Server: directory.id.domain.com
  BaseDN: dc=id,dc=domain,dc=com

  Continue to configure the system with these values? [no]: yes
  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
  User authorized to enroll computers: enroll.user
  Password for enroll.user@xxxxxxxxxxxxx:
  Successfully retrieved CA cert
      Subject:     CN=Certificate Authority,O=ID.DOMAIN.COM
      Issuer:      CN=Certificate Authority,O=ID.DOMAIN.COM
      Valid From:  Wed Oct 19 14:54:08 2016 UTC
      Valid Until: Sun Oct 19 14:54:08 2036 UTC

      Subject:     CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
      Issuer:      CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
      Valid From:  Tue May 30 10:48:38 2000 UTC
      Valid Until: Sat May 30 10:48:38 2020 UTC

      Subject:     CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
      Issuer:      CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
      Valid From:  Tue May 30 10:48:38 2000 UTC
      Valid Until: Sat May 30 10:48:38 2020 UTC

      Subject:     CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
      Issuer:      CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
      Valid From:  Tue Jan 19 00:00:00 2010 UTC
      Valid Until: Mon Jan 18 23:59:59 2038 UTC

      Subject:     CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
      Issuer:      CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
      Valid From:  Wed Feb 12 00:00:00 2014 UTC
      Valid Until: Sun Feb 11 23:59:59 2029 UTC

      Subject:     CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
      Issuer:      CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
      Valid From:  Tue May 30 10:48:38 2000 UTC
      Valid Until: Sat May 30 10:48:38 2020 UTC

      Subject:     CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
      Issuer:      CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
      Valid From:  Wed Feb 12 00:00:00 2014 UTC
      Valid Until: Sun Feb 11 23:59:59 2029 UTC

      Subject:     CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
      Issuer:      CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
      Valid From:  Tue Jan 19 00:00:00 2010 UTC
      Valid Until: Mon Jan 18 23:59:59 2038 UTC

  Enrolled in IPA realm ID.DOMAIN.COM
  Created /etc/ipa/default.conf
  New SSSD config will be created
  Configured sudoers in /etc/nsswitch.conf
  Configured /etc/sssd/sssd.conf
  Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM
  trying https://directory.id.domain.com/ipa/json
  Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json'
  Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json'
  Systemwide CA database updated.
  Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
  Forwarding 'host_mod' to json server 'https://directory.id.domain.com/ipa/json'
  Could not update DNS SSHFP records.
  SSSD enabled
  Configured /etc/openldap/ldap.conf
  NTP enabled
  Configured /etc/ssh/ssh_config
  Configured /etc/ssh/sshd_config
  Configuring id.domain.com as NIS domain.
  Client configuration complete.

  What happend instead:

  root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir
  Using existing certificate '/etc/ipa/ca.crt'.
  Discovery was successful!
  Hostname: freeradius.id.domain.com
  Realm: ID.DOMAIN.COM
  DNS Domain: id.domain.com
  IPA Server: directory2.id.domain.com
  BaseDN: dc=id,dc=domain,dc=com

  Continue to configure the system with these values? [no]: yes
  User authorized to enroll computers: enroll.user
  Synchronizing time with KDC...
  Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
  Password for enroll.user@xxxxxxxxxxxxx:
  Enrolled in IPA realm ID.DOMAIN.COM
  Created /etc/ipa/default.conf
  New SSSD config will be created
  Configured /etc/sssd/sssd.conf
  Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM
  cert validation failed for "CN=*.id.domain.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
  Connection to https://directory2.id.domain.com/ipa/xml failed with [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.
  cert validation failed for "CN=*.id.domain.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
  Connection to https://directory.id.domain.com/ipa/xml failed with [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.
  Cannot connect to the server due to generic error: cannot connect to 'Gettext('any of the configured servers', domain='ipa', localedir=None)': https://directory2.id.domain.com/ipa/xml, https://directory.id.domain.com/ipa/xml
  Installation failed. Rolling back changes.
  certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
  certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
  Unenrolling client from IPA server
  Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.

  Removing Kerberos service principals from /etc/krb5.keytab
  Disabling client Kerberos and LDAP configurations
  Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
  SSSD service could not be stopped
  Restoring client configuration files
  nscd daemon is not installed, skip configuration
  nslcd daemon is not installed, skip configuration
  Client uninstall complete.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1635568/+subscriptions

References

  Thread PreviousDate PreviousThread Next