On Tue, May 28, 2019 at 08:27:41PM -0000, Khurrum Maqb via FreeIPA-users wrote:
Oh I see. I misunderstood the result.
]# ipa pkinit-status
-----------------
4 servers matched
-----------------
Server name: server1.dom.ain
PKINIT status: enabled
Server name: server2.dom.ain
PKINIT status: enabled
Server name: server3.dom.ain
PKINIT status: enabled
Server name: server4.dom.ain
PKINIT status: enabled
----------------------------
Number of entries returned 4
----------------------------
And on all four:
# ipa-pkinit-manage status
PKINIT is enabled
The ipa-pkinit-manage command was successful
Can you check with
openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout
on the servers if the certificates are self-signed (subject and issuer
are the same) or not?
bye,
Sumit
>
> And a new thing today -- none of my clients are able to enroll or unenroll to/from
IPA showing the same error. I think it happened after running the script generated by
ipa-advise config-server-for-smart-card-auth
>
> Authentication > Certificate Authorities is showing:
>
> cannot connect to 'https://server[X].dom.ain:443/ca/rest/account/login':
[SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1822)
>
> 907 RPC failed at server. cannot connect. Certificate issuance failed CA_UNREACHABLE.
SSL: SSL_HANDSHAKE_FAILURE.
>
> I believe the only change was:
>
> certutil -M -n 'Server-Cert' -d "/etc/httpd/alias" -f
/etc/httpd/alias/pwdfile.txt -t "Pu,u,u"?
>
> The output is:
>
> # certutil -d "/etc/httpd/alias" -L
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> DSTRootCAX3 C,,
> ABC Operational CA 0 CT,C,C
> Server-Cert Pu,u,u
> DOMAIN IPA CA CT,C,C
> letsencryptx3 C,,
> ABC2 CA CT,C,C
> ABC3 CA CT,C,C
>
> This was working until very recently. I wonder if this is related to whatever is
causing the PKINIT failure.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...