Hello,

 

I have run the tool on an environment where I’ve installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP), and it complains when find the root certificate of my certificate:

# python2 ipa-checkcerts.py

ipa: INFO: IPA version 4.6.4-10.el7

IPA version 4.6.4-10.el7

ipa: INFO: Check CA status

Check CA status

ipa: INFO: Check tracking

Check tracking

ipa: INFO: Check NSS trust

Check NSS trust

Traceback (most recent call last):

  File "ipa-checkcerts.py", line 931, in <module>

    sys.exit(c.run())

  File "ipa-checkcerts.py", line 190, in run

    self.check_trust()

  File "ipa-checkcerts.py", line 439, in check_trust

    expected = expected_trust[nickname]

KeyError: 'ICC-root'

 

Is this normal?

Because I have tried to add a RHEL 6 client and I get the error:

" Successfully retrieved CA cert

    Subject:     CN=Certificate Authority,O=IPA.TESTAD.LOCAL

    Issuer:      CN=Certificate Authority,O=IPA.TESTAD.LOCAL

    Valid From:  Mon Jan 30 10:52:18 2017 UTC

    Valid Until: Fri Jan 30 10:52:18 2037 UTC

 

Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates"

 

Thanks & Regards.