Hi! I use freeipa-server 4.7.0~pre1+git20180411-2ubuntu2 on Ubuntu 18.04.4 LTS
I installed freeipa-serve in default mode ( ipa-server-install ) Now i try change certificate on Comodo as write in this article https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP my steps: 1 ipa-cacert-manage -p 'password' -n COMODO -t C,, install addtrustexternalcaroot2.crt Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful
2 ipa-server-certinstall -w -d /home/xattab/ldap_comodo.key ldap_comodo.pem -vvv get error ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'dbm:/tmp/tmpPsRUhs', '-V', '-n', 'CN=ldap.soft2bet.com', '-u', 'V', '-f', '/tmp/tmpPsRUhs/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout=certutil: certificate is invalid: Peer's Certificate issuer is not recognized.
ipapython.ipautil: DEBUG: stderr= ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 113, in run self.install_dirsrv_cert() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 139, in install_dirsrv_cert 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 291, in import_cert self.check_chain(pkcs12_file.name, pin, cdb) File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 277, in check_chain "to install the CA certificate." % str(e))
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. ipapython.admintool: ERROR: Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
How to fix it ? Can anybody help me ))) ?
On 2/21/20 5:56 PM, dmitriys via FreeIPA-users wrote:
Hi! I use freeipa-server 4.7.0~pre1+git20180411-2ubuntu2 on Ubuntu 18.04.4 LTS
I installed freeipa-serve in default mode ( ipa-server-install ) Now i try change certificate on Comodo as write in this article https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP my steps: 1 ipa-cacert-manage -p 'password' -n COMODO -t C,, install addtrustexternalcaroot2.crt Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful
Hi, Looks like you forgot the ipa-certupdate step.
HTH, flo
2 ipa-server-certinstall -w -d /home/xattab/ldap_comodo.key ldap_comodo.pem -vvv get error ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'dbm:/tmp/tmpPsRUhs', '-V', '-n', 'CN=ldap.soft2bet.com', '-u', 'V', '-f', '/tmp/tmpPsRUhs/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout=certutil: certificate is invalid: Peer's Certificate issuer is not recognized.
ipapython.ipautil: DEBUG: stderr= ipapython.admintool: DEBUG: File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 113, in run self.install_dirsrv_cert() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 139, in install_dirsrv_cert 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 291, in import_cert self.check_chain(pkcs12_file.name, pin, cdb) File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", line 277, in check_chain "to install the CA certificate." % str(e))
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. ipapython.admintool: ERROR: Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
How to fix it ? Can anybody help me ))) ? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
When execute ipa-certupdate get this :
ipapython.admintool: DEBUG: The ipa-certupdate command failed, exception: KerberosError: No valid Negotiate header in server response ipapython.admintool: ERROR: No valid Negotiate header in server response ipapython.admintool: ERROR: The ipa-certupdate command failed.
On 2/22/20 12:40 AM, dmitriys via FreeIPA-users wrote:
When execute ipa-certupdate get this :
ipapython.admintool: DEBUG: The ipa-certupdate command failed, exception: KerberosError: No valid Negotiate header in server response ipapython.admintool: ERROR: No valid Negotiate header in server response ipapython.admintool: ERROR: The ipa-certupdate command failed. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
are you able to get a kerberos ticket and use ipa * commands? For instance: kinit admin ipa ping
If this is not working, please have a look at the logs in /var/log/httpd/error_log. This error may happen when the gssproxy service is not running or misconfigured.
HTH, flo
Hi ! After you advice i did this : # kinit admin # ipa ping IPA server version 4.6.90.pre1+git20180411. API version 2.229 # ipa-cacert-manage -p 'Q*password' -n COMODO -t C,, install /home/addtrustexternalcaroot2.crt Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful
# ipa-certupdate ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140600762419792 ipapython.admintool: INFO: The ipa-certupdate command was successful
# ipa-server-certinstall -w -d /home/ldap_soft2bet_com.key /home/ldap_comodo.pem
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. ipapython.admintool: ERROR: Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
On ma, 24 helmi 2020, dmitriys via FreeIPA-users wrote:
Hi ! After you advice i did this : # kinit admin # ipa ping IPA server version 4.6.90.pre1+git20180411. API version 2.229 # ipa-cacert-manage -p 'Q*password' -n COMODO -t C,, install /home/addtrustexternalcaroot2.crt Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful
# ipa-certupdate ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140600762419792 ipapython.admintool: INFO: The ipa-certupdate command was successful
# ipa-server-certinstall -w -d /home/ldap_soft2bet_com.key /home/ldap_comodo.pem
ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, exception: ScriptError: Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. ipapython.admintool: ERROR: Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. ipapython.admintool: ERROR: The ipa-server-certinstall command failed.
I think your primary issue is that on Ubuntu and Debian systems there is no backend to handle system-wide certificate store in FreeIPA. This is tracked by https://pagure.io/freeipa/issue/8106 and there is a pull request https://github.com/freeipa/freeipa/pull/4102 that attempts to add such support but Debian's way of adding certificates to a cert store is not able to work with what IPA tools supply to it. Please see the ticket and the PR to gain more knowledge about it.
Hi! I rebuild my server now I use Centos 8 I installed freeipa : # ipa-server-install and try to change self sign certificate on Comodo. My steps: - get root CA from gogetssl.com - ipa-cacert-manage -p password -n ARAX -t C,, install /root/ca.crt - ipa-certupdate - ipa-server-certinstall -w -d /root/httpd_arax.key /root/httpd_arax.crt and here i get an error Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed.
How i can fix it ?
dmitriys via FreeIPA-users wrote:
Hi! I rebuild my server now I use Centos 8 I installed freeipa : # ipa-server-install and try to change self sign certificate on Comodo. My steps:
- get root CA from gogetssl.com
- ipa-cacert-manage -p password -n ARAX -t C,, install /root/ca.crt
- ipa-certupdate
- ipa-server-certinstall -w -d /root/httpd_arax.key /root/httpd_arax.crt
and here i get an error Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed.
How i can fix it ?
You need the entire CA chain and not just the root. You're likely missing one or more subordinates. Find those and install them the same way using ipa-cacert-manage.
rob
Thank you your advice helped me)
Hi!
Have the same issue with another Centos 8 server I use CA witch i used successful on privius server But here i get error after ipa-cacert-manage -p 'password' -n ARAX -t C,, install /home/xattab/ca.crt
Installing CA certificate, please wait Not a valid CA certificate: certutil: certificate is invalid: Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed.
Here is bigger log
[root@ldap ~]# ipa-cacert-manage -v -p 'password' -n ARAX -t C,, install /home/xattab/ca.crt ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipapython.admintool: DEBUG: Not logging to a file ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins... ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipalib.backend: DEBUG: Created connection context.ldap2_140342569266424 Installing CA certificate, please wait ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-ARAXIO-TECH.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fa40c6c4e48> ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmp09481fcb', '-N', '-f', '/tmp/tmp09481fcb/pwdfile.txt', '-@', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmp09481fcb'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmp09481fcb
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmp09481fcb/cert9.db'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmp09481fcb/cert9.db
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmp09481fcb/key4.db'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmp09481fcb/key4.db
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmp09481fcb/pkcs11.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmp09481fcb/pkcs11.txt
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmp09481fcb/pwdfile.txt
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-A', '-n', 'CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', '-t', ',,', '-a', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-L', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB ,,
ipapython.ipautil: DEBUG: stderr= ipaserver.install.ipa_cacert_manage: DEBUG: loaded raw certs '(('CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', TrustFlags(has_key=False, trusted=None, ca=None, usages=frozenset())),)' ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-L', '-n', 'CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', '-a', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-D', '-n', 'CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-A', '-n', 'ARAX', '-t', 'C,,', '-a', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-L', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ARAX C,,
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-A', '-n', 'ARAXIO.TECH IPA CA', '-t', 'CT,C,C', '-a', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-M', '-n', 'ARAX', '-t', 'C,,', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-L', '-n', 'ARAX', '-a', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-V', '-n', 'ARAX', '-u', 'L', '-e', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout=certutil: certificate is invalid: Peer's Certificate issuer is not recognized.
ipapython.ipautil: DEBUG: stderr= ipalib.backend: DEBUG: Destroyed connection context.ldap2_140342569266424 ipapython.admintool: DEBUG: File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cacert_manage.py", line 130, in run return self.install() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cacert_manage.py", line 426, in install "troubleshooting guide)" % e)
ipapython.admintool: DEBUG: The ipa-cacert-manage command failed, exception: ScriptError: Not a valid CA certificate: certutil: certificate is invalid: Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) ipapython.admintool: ERROR: Not a valid CA certificate: certutil: certificate is invalid: Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) ipapython.admintool: ERROR: The ipa-cacert-manage command failed.
Why i get this error ?
dmitriys via FreeIPA-users wrote:
Hi!
Have the same issue with another Centos 8 server I use CA witch i used successful on privius server But here i get error after ipa-cacert-manage -p 'password' -n ARAX -t C,, install /home/xattab/ca.crt
Installing CA certificate, please wait Not a valid CA certificate: certutil: certificate is invalid: Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed.
You must be missing part of the CA chain.
rob
Here is bigger log
[root@ldap ~]# ipa-cacert-manage -v -p 'password' -n ARAX -t C,, install /home/xattab/ca.crt ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipapython.admintool: DEBUG: Not logging to a file ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins... ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipalib.backend: DEBUG: Created connection context.ldap2_140342569266424 Installing CA certificate, please wait ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-ARAXIO-TECH.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fa40c6c4e48> ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', '/tmp/tmp09481fcb', '-N', '-f', '/tmp/tmp09481fcb/pwdfile.txt', '-@', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmp09481fcb'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmp09481fcb
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmp09481fcb/cert9.db'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmp09481fcb/cert9.db
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmp09481fcb/key4.db'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmp09481fcb/key4.db
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmp09481fcb/pkcs11.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmp09481fcb/pkcs11.txt
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/sbin/selinuxenabled'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/sbin/restorecon', '-F', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Warning no default label for /tmp/tmp09481fcb/pwdfile.txt
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-A', '-n', 'CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', '-t', ',,', '-a', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-L', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB ,,
ipapython.ipautil: DEBUG: stderr= ipaserver.install.ipa_cacert_manage: DEBUG: loaded raw certs '(('CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', TrustFlags(has_key=False, trusted=None, ca=None, usages=frozenset())),)' ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-L', '-n', 'CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', '-a', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-D', '-n', 'CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-A', '-n', 'ARAX', '-t', 'C,,', '-a', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-L', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
ARAX C,,
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-A', '-n', 'ARAXIO.TECH IPA CA', '-t', 'CT,C,C', '-a', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-M', '-n', 'ARAX', '-t', 'C,,', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-L', '-n', 'ARAX', '-a', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmp09481fcb', '-V', '-n', 'ARAX', '-u', 'L', '-e', '-f', '/tmp/tmp09481fcb/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout=certutil: certificate is invalid: Peer's Certificate issuer is not recognized.
ipapython.ipautil: DEBUG: stderr= ipalib.backend: DEBUG: Destroyed connection context.ldap2_140342569266424 ipapython.admintool: DEBUG: File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cacert_manage.py", line 130, in run return self.install() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cacert_manage.py", line 426, in install "troubleshooting guide)" % e)
ipapython.admintool: DEBUG: The ipa-cacert-manage command failed, exception: ScriptError: Not a valid CA certificate: certutil: certificate is invalid: Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) ipapython.admintool: ERROR: Not a valid CA certificate: certutil: certificate is invalid: Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) ipapython.admintool: ERROR: The ipa-cacert-manage command failed.
Why i get this error ?
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org