SOLER SANGUESA Miguel via FreeIPA-users wrote:
> Hello,
>
>
>
> I have run the tool on an environment where I’ve installed my own
> certificate for HTTPS (following this tutorial:
>
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP),
> and it complains when find the root certificate of my certificate:
>
> # python2 ipa-checkcerts.py
>
> ipa: INFO: IPA version 4.6.4-10.el7
>
> IPA version 4.6.4-10.el7
>
> ipa: INFO: Check CA status
>
> Check CA status
>
> ipa: INFO: Check tracking
>
> Check tracking
>
> ipa: INFO: Check NSS trust
>
> Check NSS trust
>
> Traceback (most recent call last):
>
> File "ipa-checkcerts.py", line 931, in <module>
>
> sys.exit(c.run())
>
> File "ipa-checkcerts.py", line 190, in run
>
> self.check_trust()
>
> File "ipa-checkcerts.py", line 439, in check_trust
>
> expected = expected_trust[nickname]
>
> KeyError: 'ICC-root'
>
>
>
> Is this normal?
No, I don't think I ever tested this scenario. I'll take a look.
I did confirm it also fails if you install CA-les.
I reproduced the error and worked around it. It should work now.
rob
> Because I have tried to add a RHEL 6 client and I get the error:
>
> " Successfully retrieved CA cert
>
> Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
>
> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
>
> Valid From: Mon Jan 30 10:52:18 2017 UTC
>
> Valid Until: Fri Jan 30 10:52:18 2037 UTC
>
>
>
> Joining realm failed: libcurl failed to execute the HTTP POST
> transaction. Peer certificate cannot be authenticated with known CA
> certificates"it is by design to provide
Use ipa-cacert-manage to install the CA of the 3rd party certs you added.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...