Hi folks,
its always worth reading the code.
ipa-client-install of freeipa 3.0.2 uses
wget http://ipa1.example.de/ipa/config/ca.crt
to grab the CA certificate. It seems that ipa-cacert-manage (CentOS 7.3) did not upgrade /usr/share/ipa/html/ca.crt on the servers when I migrated to the new root CA. Would anybody mind to fix?
Thanx very much Harri
On 11/16/17 9:28 AM, Harald Dunkel via FreeIPA-users wrote:
Hi folks,
a few months ago I had replaced the externally signed root certificate on my servers (CentOS 7.3) using ipa-cacert-manage. Problem:
ipa-client-install on a freshly bootstrapped Debian 7 (Wheezy, freeipa 3.0.2) fails. Apparently it stumbles over the old root certificate:
# ipa-client-install --domain=example.de --realm=EXAMPLE.DE --no-ssh --no-sshd --no-ntp Discovery was successful! Hostname: pobde7i001.vs.example.de Realm: EXAMPLE.DE DNS Domain: example.de IPA Server: ipa1.example.de BaseDN: dc=example,dc=de
Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for admin@EXAMPLE.DE: Enrolled in IPA realm EXAMPLE.DE Created /etc/ipa/default.conf Domain example.de is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.DE trying https://ipa1.example.de/ipa/xml cert validation failed for "CN=ipa1.example.de,O=example AG,C=DE" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) trying https://ipa2.example.de/ipa/xml cert validation failed for "CN=ipa2.example.de,O=example AG,C=DE" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) Cannot connect to the server due to generic error: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://ipa1.example.de/ipa/xml, https://ipa2.example.de/ipa/xml Installation failed. Rolling back changes.
/etc/ipa/ca.crt on the client shows it somehow picked up the old certificate. On the servers /etc/ipa/ca.crt is the new root cert. "getcert list" on the servers shows only certificates based upon the new root ca, too. I wonder where ipa-client-install picked up the unwanted certificate?
Of course I tried putting the new ca.crt into place before running ipa-client-install, but it was overwritten.
Of course there is no such problem for ipa 4.4.4 on Stretch.
Every heplful hint is highly appreciated Harri _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org