freeipa team mailing list archive
-
freeipa team
-
Mailing list archive
-
Message #00434
[Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert
Hi Timo, Georgijs,
In our setup we use Let's Encrypt certificates for HTTPS/LDAPS and the
solution was to add the "DST Root CA X3" to NSS database at
"/etc/pki/nssdb". I used the following command to do it:
$ certutil -A -n "DST Root CA X3" -t "C,," -i
/etc/ssl/certs/DST_Root_CA_X3.pem -d sql:/etc/pki/nssdb
The strange part of the story that this is not necessary on Ubuntu 16.04
to have successful ipa-client-install. Maybe the 4.x version of FreeIPA
has different method(s) for CA certificate retrieval or validation.
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1635568
Title:
freeipa-client - Can't enroll a client if server has external CA certs
in addition to self signed CA cert
Status in freeipa package in Ubuntu:
Incomplete
Bug description:
Ubuntu version - Ubuntu 14.04.5 LTS
freeipa-client package version - 3.3.4-0ubuntu3.1
What is expected:
root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir
Discovery was successful!
Client hostname: ip-10-5-0-73.eu-west-1.compute.internal
Realm: ID.DOMAIN.COM
DNS Domain: id.domain.com
IPA Server: directory.id.domain.com
BaseDN: dc=id,dc=domain,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: enroll.user
Password for enroll.user@xxxxxxxxxxxxx:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=ID.DOMAIN.COM
Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM
Valid From: Wed Oct 19 14:54:08 2016 UTC
Valid Until: Sun Oct 19 14:54:08 2036 UTC
Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
Valid From: Tue May 30 10:48:38 2000 UTC
Valid Until: Sat May 30 10:48:38 2020 UTC
Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
Valid From: Tue May 30 10:48:38 2000 UTC
Valid Until: Sat May 30 10:48:38 2020 UTC
Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Valid From: Tue Jan 19 00:00:00 2010 UTC
Valid Until: Mon Jan 18 23:59:59 2038 UTC
Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Valid From: Wed Feb 12 00:00:00 2014 UTC
Valid Until: Sun Feb 11 23:59:59 2029 UTC
Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
Valid From: Tue May 30 10:48:38 2000 UTC
Valid Until: Sat May 30 10:48:38 2020 UTC
Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Valid From: Wed Feb 12 00:00:00 2014 UTC
Valid Until: Sun Feb 11 23:59:59 2029 UTC
Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Valid From: Tue Jan 19 00:00:00 2010 UTC
Valid Until: Mon Jan 18 23:59:59 2038 UTC
Enrolled in IPA realm ID.DOMAIN.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM
trying https://directory.id.domain.com/ipa/json
Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to json server 'https://directory.id.domain.com/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring id.domain.com as NIS domain.
Client configuration complete.
What happend instead:
root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir
Using existing certificate '/etc/ipa/ca.crt'.
Discovery was successful!
Hostname: freeradius.id.domain.com
Realm: ID.DOMAIN.COM
DNS Domain: id.domain.com
IPA Server: directory2.id.domain.com
BaseDN: dc=id,dc=domain,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: enroll.user
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for enroll.user@xxxxxxxxxxxxx:
Enrolled in IPA realm ID.DOMAIN.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM
cert validation failed for "CN=*.id.domain.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
Connection to https://directory2.id.domain.com/ipa/xml failed with [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.
cert validation failed for "CN=*.id.domain.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
Connection to https://directory.id.domain.com/ipa/xml failed with [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.
Cannot connect to the server due to generic error: cannot connect to 'Gettext('any of the configured servers', domain='ipa', localedir=None)': https://directory2.id.domain.com/ipa/xml, https://directory.id.domain.com/ipa/xml
Installation failed. Rolling back changes.
certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
SSSD service could not be stopped
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1635568/+subscriptions
References
