On Thu, Jul 13, 2017 at 09:57:04AM -0400, Mark Haney via FreeIPA-users wrote:
On 07/12/2017 08:34 PM, Fraser Tweedale wrote:
Which version(s) of FreeIPA?
ipa-server-4.4.0-14.el7.centos.7.x86_64
Which service(s) (HTTP, LDAP?).
HTTPS. I haven't checked LDAPS yet. It appears this is only related to HTTPS. To give a bit of backstory, the primary host [ipa0] was installed and configured a couple of months before I came on board here (which was in early April). One of my first tasks was to build a replica of ipa0 (wackily named ipa1) for redundancy.
What client program(s) were used to contact the servers? (The same client, or different?) Has the IPA CA cert been properly installed for the relevant clients / client systems?
I've not even tried to connect clients yet, this is solely related to the web browser complaining about the connection to the admin panel being insecure on ipa1, but not ipa0. ipa0 has a valid not self-signed wildcard cert on it. SO, either the process I used to build the replica and get it synced was incorrect, or the process doesn't include valid non-self-signed HTTPS certs. That's where I'm at now.
OK, I think I understand.
ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been set up with a certificate issued by the IPA CA, which your browser does not trust.
There are two ways forward here:
1. You can use ipa-server-certinstall to install a 3rd-party (i.e. not issued by the IPA CA but by a CA trusted by clients - including browsers - in your organisation) certificate for the HTTP service. This seems to be how ipa0 is set up so you might want to do that for consistency.
2. Add the IPA CA certificate to your browser as a trusted CA. If you need all clients (including users' browsers) in your organisation to trust certs issued by your FreeIPA CA, then you need to work out how to push the IPA CA out to all of them, or you need to chain the IPA CA to a CA that they already trust (e.g. organisations with Active Directory often chain their IPA CA up to the AD CA).
HTH, Fraser
Can you show us the good / bad certs?
{{There are a lot of things to check when diagnosing PKI problems!}}
Thanks, Fraser
-- Mark Haney Network Engineer at NeoNova 919-460-3330 option 1 mark.haney@neonova.net www.neonova.net _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org