On Tue, May 28, 2019 at 04:37:25PM -0000, Khurrum Maqb via FreeIPA-users wrote:
Thanks!
So on the IPA server that is listed in the client's /etc/ipa/default file I ran:
# openssl verify -verbose -CAfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem
/var/kerberos/krb5kdc/kdc.crt
/var/kerberos/krb5kdc/kdc.crt: O =
DOMAIN.COM, CN = ipa-server.do.ma.in
error 18 at 0 depth lookup:self signed certificate
OK
This should not be self-signed but signed by the IPA CA to make
Smartcard authentication and PKINIT work.
What is the output of
ipa pkinit-status
and
ipa-pkinit-manage status
on the servers?
bye,
Sumit
>
> Is that the command that you had in mind? It looks like it's OK.
>
> Also as Florence Blanc-Renaud suggested, I ran the `ipa-advise
config-server-for-smart-card-auth > config.sh` command and ran it on all the IPA
servers with the third-party external CA certs, and they ran successfully. Thanks
Florence! I did not see any change after that. The only thing I hadn't done was change
the Server-Cert permissions. The kinit command still fails with the DH verification error
on the client even though the ticket is issued.
>
> I also added a CNAME for the OCSP server listed in the cert and pointed it to a real
working IPA server instead of a retired one.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...