6:23 p.m.
I have recently been looking to authenticate Linux hosts with our FreeIPA server. I use a
containerized FreeIPA server behind a Nginx Proxy Manager reverse proxy. I disable
anonymous binding and forward all the LDAP and kerberos ports freeipa uses over streams
through NPM.
This has worked well for general usage and LDAP binding so far, but when I try to install
the client with ipa-client-install I get the following error:
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm MYREALM.NET
cannot connect to 'https://freeipa.myrealm.net/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer
certificate (_ssl.c:1123)
I do not get the same issue connecting directly to a fresh docker instance that is not
behind Nginx Proxy Manager, but it occurs again when I try to put a reverse proxy in front
of the server. The realm gets created, but the final configuration fails.
What I assume is happening is that there is a mismatch between the SSL certificate used by
LDAP/Kerberos and the one used over https, but I'm not totally sure. The debug
information is sparse.
The debug logs say the following:
failed to find session_cookie in persistent storage for principal
'host/client.myrealm.net(a)MYREALM.NET'
trying https://freeipa.myrealm.net/ipa/json
Created connection context.rpcclient_140023518613568
[try 1]: Forwarding 'schema' to json server
'https://freeipa.myrealm.net/ipa/json'
HTTP connection destroyed (freeipa.myrealm.net)
I tried the --ca-cert-file flag, passing in the server's self-signed certificate, but
that did not work either. Neither did installing it in the ca-certificates directory. Is
there a way for me either pre-emptively install the certificate? Or am I going to need to
definitely use the same non-self-signed certificate for the reverse proxy and the actual
IPA server?
Some additional things I've tried:
- Updating & Upgrading
- Using the server's self-signed certificate in NPM (gives a self-signed cert error)
- Using no certificate in NPM (gives the sam self-signed error)
- Using the name of the Freeipa host machine (connects, but a cert for the hostname
isn't found)
8:02 p.m.
New subject: Freeipa Client fails with "CERTIFICATE_VERIFY_FAILED" when FreeIPA is behind a reverse proxy.
An update: I was using the wrong certificate on my reverse proxy. Using the same http
certificate *works* but is not ideal.
For anyone else, here are the self-signed cert and key locations:
- Certificate: /data/var/lib/ipa/certs/httpd.crt
- Encrypted key file: /data/var/lib/ipa/private/httpd.key
- Password for key file: /var/lib/ipa/passwds/freeipa.mydomain.net-443-RSA
Sokal in the #freeipa IRC chat pointed me in the right direction, it seems I need to
rewrite some headers with advanced configuration in NPM:
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
819
days inactive
819
days old
freeipa-users@lists.fedorahosted.org
1 comments
1 participants
participants (1)
-
Scion