Hello,
I have run the tool on an environment where I've installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP), and it complains when find the root certificate of my certificate: # python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust Traceback (most recent call last): File "ipa-checkcerts.py", line 931, in <module> sys.exit(c.run()) File "ipa-checkcerts.py", line 190, in run self.check_trust() File "ipa-checkcerts.py", line 439, in check_trust expected = expected_trust[nickname] KeyError: 'ICC-root'
Is this normal? Because I have tried to add a RHEL 6 client and I get the error: " Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Valid From: Mon Jan 30 10:52:18 2017 UTC Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"
Thanks & Regards.
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I have run the tool on an environment where I’ve installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP), and it complains when find the root certificate of my certificate:
# python2 ipa-checkcerts.py
ipa: INFO: IPA version 4.6.4-10.el7
IPA version 4.6.4-10.el7
ipa: INFO: Check CA status
Check CA status
ipa: INFO: Check tracking
Check tracking
ipa: INFO: Check NSS trust
Check NSS trust
Traceback (most recent call last):
File "ipa-checkcerts.py", line 931, in <module>
sys.exit(c.run())
File "ipa-checkcerts.py", line 190, in run
self.check_trust()
File "ipa-checkcerts.py", line 439, in check_trust
expected = expected_trust[nickname]
KeyError: 'ICC-root'
Is this normal?
No, I don't think I ever tested this scenario. I'll take a look.
I did confirm it also fails if you install CA-les.
Because I have tried to add a RHEL 6 client and I get the error:
" Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Valid From: Mon Jan 30 10:52:18 2017 UTC
Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"
Use ipa-cacert-manage to install the CA of the 3rd party certs you added.
rob
Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I have run the tool on an environment where I’ve installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP), and it complains when find the root certificate of my certificate:
# python2 ipa-checkcerts.py
ipa: INFO: IPA version 4.6.4-10.el7
IPA version 4.6.4-10.el7
ipa: INFO: Check CA status
Check CA status
ipa: INFO: Check tracking
Check tracking
ipa: INFO: Check NSS trust
Check NSS trust
Traceback (most recent call last):
File "ipa-checkcerts.py", line 931, in <module>
sys.exit(c.run())
File "ipa-checkcerts.py", line 190, in run
self.check_trust()
File "ipa-checkcerts.py", line 439, in check_trust
expected = expected_trust[nickname]
KeyError: 'ICC-root'
Is this normal?
No, I don't think I ever tested this scenario. I'll take a look.
I did confirm it also fails if you install CA-les.
I reproduced the error and worked around it. It should work now.
rob
Because I have tried to add a RHEL 6 client and I get the error:
" Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Valid From: Mon Jan 30 10:52:18 2017 UTC
Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"it is by design to provide
Use ipa-cacert-manage to install the CA of the 3rd party certs you added.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello,
Now it works and it shows the real problem I have. I have 2 master, I have changed the HTTP certificate on both (using ipa-cacert-manage, ipa-certupdate and ipa-server-certinstall as the manual says), but I one of them has som problems: [root@masterWRONG ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION (Invalid Credential.) ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected ipa: INFO: cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817094736 Unknown certmonger ids: 20170817094736
The certificates that complains: [root@masterGOOD ~]# ipa cert-show 2 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:52:18 2017 UTC Not After: Sun Jan 20 10:52:18 2019 UTC Serial number: 2 Serial number (hex): 0x2 Revoked: False [root@masterGOOD ~]# ipa cert-show 7 Issuing CA: ipa Certificate: MII.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:53:02 2017 UTC Not After: Sun Jan 20 10:53:02 2019 UTC Serial number: 7 Serial number (hex): 0x7 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MIID.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False
On the other master I get: [root@masterGOOD ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: Unable to find request for serial 268304389 Unable to find request for serial 268304389 ipa: INFO: Unable to find request for serial 268304388 Unable to find request for serial 268304388 ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304390 Unable to find request for serial 268304390 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817101613 Unknown certmonger ids: 20170817101613
Where the serials correspond the following certs: [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MI.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304388 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Audit,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:10 2018 UTC Not After: Sun Dec 13 07:25:10 2020 UTC Serial number: 268304388 Serial number (hex): 0xFFE0004 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304391 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:00 2018 UTC Not After: Sun Dec 13 07:25:00 2020 UTC Serial number: 268304391 Serial number (hex): 0xFFE0007 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304390 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:41 2018 UTC Not After: Sun Dec 13 07:24:41 2020 UTC Serial number: 268304390 Serial number (hex): 0xFFE0006 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304392 Issuing CA: ipa Certificate: MII.... Subject: CN=masterGOOD.ipa.testad.local,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Tue Dec 25 07:24:07 2018 UTC Not After: Mon Dec 14 07:24:07 2020 UTC Serial number: 268304392 Serial number (hex): 0xFFE0008 Revoked: False
I've checked that the following files are different on the 2 masters: /var/lib/ipa/ra-agent.key /var/lib/ipa/ra-agent.pem
It has been renewed on masterGOOD but not on masterWRONG: [root@masterWRONG ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 7 (0x7) Not Before: Jan 30 10:53:02 2017 GMT Not After : Jan 20 10:53:02 2019 GMT [root@masterGOOD ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 268304389 (0xffe0005) Not Before: Dec 24 07:24:20 2018 GMT Not After : Dec 13 07:24:20 2020 GMT When I execute "ipa cert-show" on masterWRONG I get the following error: ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)
I have added a RHEL 7 client to the domain, but I can not add RHEL 6 clients. The CA master was masterWRONG and I have changed to masterGOOD with the procedure explained on https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master But it still can not add RHEL 6 on the domain.
How can I fix the issue? Is that happening because I changed the auto-signed HTTP certificate to a 3rd party certificate?
Thanks & Regards.
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: Thursday, January 03, 2019 21:22 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I have run the tool on an environment where I’ve installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDA P), and it complains when find the root certificate of my certificate:
# python2 ipa-checkcerts.py
ipa: INFO: IPA version 4.6.4-10.el7
IPA version 4.6.4-10.el7
ipa: INFO: Check CA status
Check CA status
ipa: INFO: Check tracking
Check tracking
ipa: INFO: Check NSS trust
Check NSS trust
Traceback (most recent call last):
File "ipa-checkcerts.py", line 931, in <module>
sys.exit(c.run())
File "ipa-checkcerts.py", line 190, in run
self.check_trust()
File "ipa-checkcerts.py", line 439, in check_trust
expected = expected_trust[nickname]
KeyError: 'ICC-root'
Is this normal?
No, I don't think I ever tested this scenario. I'll take a look.
I did confirm it also fails if you install CA-les.
I reproduced the error and worked around it. It should work now.
rob
Because I have tried to add a RHEL 6 client and I get the error:
" Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Valid From: Mon Jan 30 10:52:18 2017 UTC
Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"it is by design to provide
Use ipa-cacert-manage to install the CA of the 3rd party certs you added.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
On 1/9/19 4:21 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
Now it works and it shows the real problem I have. I have 2 master, I have changed the HTTP certificate on both (using ipa-cacert-manage, ipa-certupdate and ipa-server-certinstall as the manual says), but I one of them has som problems: [root@masterWRONG ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION (Invalid Credential.) ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected ipa: INFO: cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817094736 Unknown certmonger ids: 20170817094736
The certificates that complains: [root@masterGOOD ~]# ipa cert-show 2 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:52:18 2017 UTC Not After: Sun Jan 20 10:52:18 2019 UTC Serial number: 2 Serial number (hex): 0x2 Revoked: False [root@masterGOOD ~]# ipa cert-show 7 Issuing CA: ipa Certificate: MII.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:53:02 2017 UTC Not After: Sun Jan 20 10:53:02 2019 UTC Serial number: 7 Serial number (hex): 0x7 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MIID.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False
On the other master I get: [root@masterGOOD ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: Unable to find request for serial 268304389 Unable to find request for serial 268304389 ipa: INFO: Unable to find request for serial 268304388 Unable to find request for serial 268304388 ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304390 Unable to find request for serial 268304390 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817101613 Unknown certmonger ids: 20170817101613
Where the serials correspond the following certs: [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MI.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304388 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Audit,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:10 2018 UTC Not After: Sun Dec 13 07:25:10 2020 UTC Serial number: 268304388 Serial number (hex): 0xFFE0004 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304391 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:00 2018 UTC Not After: Sun Dec 13 07:25:00 2020 UTC Serial number: 268304391 Serial number (hex): 0xFFE0007 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304390 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:41 2018 UTC Not After: Sun Dec 13 07:24:41 2020 UTC Serial number: 268304390 Serial number (hex): 0xFFE0006 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304392 Issuing CA: ipa Certificate: MII.... Subject: CN=masterGOOD.ipa.testad.local,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Tue Dec 25 07:24:07 2018 UTC Not After: Mon Dec 14 07:24:07 2020 UTC Serial number: 268304392 Serial number (hex): 0xFFE0008 Revoked: False
I've checked that the following files are different on the 2 masters: /var/lib/ipa/ra-agent.key /var/lib/ipa/ra-agent.pem
It has been renewed on masterGOOD but not on masterWRONG:
You can manually copy ra-agent.key and ra-agent.pem from masterGOOD to masterWRONG (make a backup first of the files on masterWRONG). This should solve the 'ipa cert-show' issue on masterWRONG.
[root@masterWRONG ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 7 (0x7) Not Before: Jan 30 10:53:02 2017 GMT Not After : Jan 20 10:53:02 2019 GMT [root@masterGOOD ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 268304389 (0xffe0005) Not Before: Dec 24 07:24:20 2018 GMT Not After : Dec 13 07:24:20 2020 GMT When I execute "ipa cert-show" on masterWRONG I get the following error: ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)
I have added a RHEL 7 client to the domain, but I can not add RHEL 6 clients. The CA master was masterWRONG and I have changed to masterGOOD with the procedure explained on https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master But it still can not add RHEL 6 on the domain.
Which error do you see when trying to add a RHEL6 client to the domain? Please provide ipaclient-install.log.
HTH, flo
How can I fix the issue? Is that happening because I changed the auto-signed HTTP certificate to a 3rd party certificate?
Thanks & Regards.
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: Thursday, January 03, 2019 21:22 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I have run the tool on an environment where I’ve installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDA P), and it complains when find the root certificate of my certificate:
# python2 ipa-checkcerts.py
ipa: INFO: IPA version 4.6.4-10.el7
IPA version 4.6.4-10.el7
ipa: INFO: Check CA status
Check CA status
ipa: INFO: Check tracking
Check tracking
ipa: INFO: Check NSS trust
Check NSS trust
Traceback (most recent call last):
File "ipa-checkcerts.py", line 931, in <module>
sys.exit(c.run())
File "ipa-checkcerts.py", line 190, in run
self.check_trust()
File "ipa-checkcerts.py", line 439, in check_trust
expected = expected_trust[nickname]
KeyError: 'ICC-root'
Is this normal?
No, I don't think I ever tested this scenario. I'll take a look.
I did confirm it also fails if you install CA-les.
I reproduced the error and worked around it. It should work now.
rob
Because I have tried to add a RHEL 6 client and I get the error:
" Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Valid From: Mon Jan 30 10:52:18 2017 UTC
Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"it is by design to provide
Use ipa-cacert-manage to install the CA of the 3rd party certs you added.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Ipa cert-show is working now after copying the certificates, thanks.
The error I get is: Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
I have attached the full log with debug enabled, it complains about the certificate added for HTTP: * About to connect() to masterGOOD.ipa.testad.local port 443 (#0) * Trying 192.168.107.171... * Connected to masterGOOD.ipa.testad.local (192.168.107.171) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/ipa/ca.crt CApath: none * Certificate is signed by an untrusted issuer: 'CN=company - Secure Server CA 1 - G2,DC=svs,DC=company,DC=org' <---------------- this CA was added by me because is the CA of the cert for HTTPD * NSS error -8172 * Expire cleared * Closing connection #0 libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
2019-01-10T11:48:57Z ERROR Joining realm failed: XML-RPC CALL:
The certificates I have: [root@masterWRONG ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u CN=masterWRONG.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX u,u,u <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterWRONG.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterWRONG.ipa.testad.local (added by me)
[root@masterGOOD ipa]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CN=masterGOOD.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX CTu,Cu,Cu <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterGOOD.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterGOOD.ipa.testad.local (added by me)
Thanks & Regards.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 10, 2019 10:03 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Rob Crittenden rcritten@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
On 1/9/19 4:21 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
Now it works and it shows the real problem I have. I have 2 master, I have changed the HTTP certificate on both (using ipa-cacert-manage, ipa-certupdate and ipa-server-certinstall as the manual says), but I one of them has som problems: [root@masterWRONG ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION (Invalid Credential.) ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected ipa: INFO: cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817094736 Unknown certmonger ids: 20170817094736
The certificates that complains: [root@masterGOOD ~]# ipa cert-show 2 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:52:18 2017 UTC Not After: Sun Jan 20 10:52:18 2019 UTC Serial number: 2 Serial number (hex): 0x2 Revoked: False [root@masterGOOD ~]# ipa cert-show 7 Issuing CA: ipa Certificate: MII.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:53:02 2017 UTC Not After: Sun Jan 20 10:53:02 2019 UTC Serial number: 7 Serial number (hex): 0x7 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MIID.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False
On the other master I get: [root@masterGOOD ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: Unable to find request for serial 268304389 Unable to find request for serial 268304389 ipa: INFO: Unable to find request for serial 268304388 Unable to find request for serial 268304388 ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304390 Unable to find request for serial 268304390 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817101613 Unknown certmonger ids: 20170817101613
Where the serials correspond the following certs: [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MI.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304388 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Audit,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:10 2018 UTC Not After: Sun Dec 13 07:25:10 2020 UTC Serial number: 268304388 Serial number (hex): 0xFFE0004 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304391 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:00 2018 UTC Not After: Sun Dec 13 07:25:00 2020 UTC Serial number: 268304391 Serial number (hex): 0xFFE0007 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304390 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:41 2018 UTC Not After: Sun Dec 13 07:24:41 2020 UTC Serial number: 268304390 Serial number (hex): 0xFFE0006 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304392 Issuing CA: ipa Certificate: MII.... Subject: CN=masterGOOD.ipa.testad.local,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Tue Dec 25 07:24:07 2018 UTC Not After: Mon Dec 14 07:24:07 2020 UTC Serial number: 268304392 Serial number (hex): 0xFFE0008 Revoked: False
I've checked that the following files are different on the 2 masters: /var/lib/ipa/ra-agent.key /var/lib/ipa/ra-agent.pem
It has been renewed on masterGOOD but not on masterWRONG:
You can manually copy ra-agent.key and ra-agent.pem from masterGOOD to masterWRONG (make a backup first of the files on masterWRONG). This should solve the 'ipa cert-show' issue on masterWRONG.
[root@masterWRONG ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 7 (0x7) Not Before: Jan 30 10:53:02 2017 GMT Not After : Jan 20 10:53:02 2019 GMT [root@masterGOOD ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 268304389 (0xffe0005) Not Before: Dec 24 07:24:20 2018 GMT Not After : Dec 13 07:24:20 2020 GMT When I execute "ipa cert-show" on masterWRONG I get the following error: ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)
I have added a RHEL 7 client to the domain, but I can not add RHEL 6 clients. The CA master was masterWRONG and I have changed to masterGOOD with the procedure explained on https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Maste r But it still can not add RHEL 6 on the domain.
Which error do you see when trying to add a RHEL6 client to the domain? Please provide ipaclient-install.log.
HTH, flo
How can I fix the issue? Is that happening because I changed the auto-signed HTTP certificate to a 3rd party certificate?
Thanks & Regards.
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: Thursday, January 03, 2019 21:22 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I have run the tool on an environment where I’ve installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LD A P), and it complains when find the root certificate of my certificate:
# python2 ipa-checkcerts.py
ipa: INFO: IPA version 4.6.4-10.el7
IPA version 4.6.4-10.el7
ipa: INFO: Check CA status
Check CA status
ipa: INFO: Check tracking
Check tracking
ipa: INFO: Check NSS trust
Check NSS trust
Traceback (most recent call last):
File "ipa-checkcerts.py", line 931, in <module>
sys.exit(c.run())
File "ipa-checkcerts.py", line 190, in run
self.check_trust()
File "ipa-checkcerts.py", line 439, in check_trust
expected = expected_trust[nickname]
KeyError: 'ICC-root'
Is this normal?
No, I don't think I ever tested this scenario. I'll take a look.
I did confirm it also fails if you install CA-les.
I reproduced the error and worked around it. It should work now.
rob
Because I have tried to add a RHEL 6 client and I get the error:
" Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Valid From: Mon Jan 30 10:52:18 2017 UTC
Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"it is by design to provide
Use ipa-cacert-manage to install the CA of the 3rd party certs you added.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedo r ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
On 1/10/19 3:24 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Ipa cert-show is working now after copying the certificates, thanks.
The error I get is: Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
I have attached the full log with debug enabled, it complains about the certificate added for HTTP:
- About to connect() to masterGOOD.ipa.testad.local port 443 (#0)
- Trying 192.168.107.171... * Connected to masterGOOD.ipa.testad.local (192.168.107.171) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/ipa/ca.crt
What is the content of /etc/ipa/ca.crt on the client? I suspect it only contains the cert for "IPA.TESTAD.LOCAL IPA CA". IIRC correctly, RHEL 6 clients download the cert from cn=CAcert,cn=ipa,cn=etc,$BASEDN (and this entry contains only IPA CA, not the external CAs).
To workaround the issue, you can do the following: 1. copy /etc/ipa/ca.crt from the master to the client on /tmp/ipa.crt (the file should contain the IPA CA + ICC-root + ICC-Inter). 2. enroll the client by providing --ca-cert-file=/tmp/ipa.crt
HTH, flo
CApath: none
- Certificate is signed by an untrusted issuer: 'CN=company - Secure Server CA 1 - G2,DC=svs,DC=company,DC=org' <---------------- this CA was added by me because is the CA of the cert for HTTPD
- NSS error -8172
- Expire cleared
- Closing connection #0
libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
2019-01-10T11:48:57Z ERROR Joining realm failed: XML-RPC CALL:
The certificates I have: [root@masterWRONG ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u CN=masterWRONG.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX u,u,u <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterWRONG.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterWRONG.ipa.testad.local (added by me)
[root@masterGOOD ipa]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CN=masterGOOD.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX CTu,Cu,Cu <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterGOOD.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterGOOD.ipa.testad.local (added by me)
Thanks & Regards.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 10, 2019 10:03 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Rob Crittenden rcritten@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
On 1/9/19 4:21 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
Now it works and it shows the real problem I have. I have 2 master, I have changed the HTTP certificate on both (using ipa-cacert-manage, ipa-certupdate and ipa-server-certinstall as the manual says), but I one of them has som problems: [root@masterWRONG ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION (Invalid Credential.) ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected ipa: INFO: cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817094736 Unknown certmonger ids: 20170817094736
The certificates that complains: [root@masterGOOD ~]# ipa cert-show 2 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:52:18 2017 UTC Not After: Sun Jan 20 10:52:18 2019 UTC Serial number: 2 Serial number (hex): 0x2 Revoked: False [root@masterGOOD ~]# ipa cert-show 7 Issuing CA: ipa Certificate: MII.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:53:02 2017 UTC Not After: Sun Jan 20 10:53:02 2019 UTC Serial number: 7 Serial number (hex): 0x7 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MIID.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False
On the other master I get: [root@masterGOOD ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: Unable to find request for serial 268304389 Unable to find request for serial 268304389 ipa: INFO: Unable to find request for serial 268304388 Unable to find request for serial 268304388 ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304390 Unable to find request for serial 268304390 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817101613 Unknown certmonger ids: 20170817101613
Where the serials correspond the following certs: [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MI.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304388 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Audit,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:10 2018 UTC Not After: Sun Dec 13 07:25:10 2020 UTC Serial number: 268304388 Serial number (hex): 0xFFE0004 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304391 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:00 2018 UTC Not After: Sun Dec 13 07:25:00 2020 UTC Serial number: 268304391 Serial number (hex): 0xFFE0007 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304390 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:41 2018 UTC Not After: Sun Dec 13 07:24:41 2020 UTC Serial number: 268304390 Serial number (hex): 0xFFE0006 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304392 Issuing CA: ipa Certificate: MII.... Subject: CN=masterGOOD.ipa.testad.local,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Tue Dec 25 07:24:07 2018 UTC Not After: Mon Dec 14 07:24:07 2020 UTC Serial number: 268304392 Serial number (hex): 0xFFE0008 Revoked: False
I've checked that the following files are different on the 2 masters: /var/lib/ipa/ra-agent.key /var/lib/ipa/ra-agent.pem
It has been renewed on masterGOOD but not on masterWRONG:
You can manually copy ra-agent.key and ra-agent.pem from masterGOOD to masterWRONG (make a backup first of the files on masterWRONG). This should solve the 'ipa cert-show' issue on masterWRONG.
[root@masterWRONG ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 7 (0x7) Not Before: Jan 30 10:53:02 2017 GMT Not After : Jan 20 10:53:02 2019 GMT [root@masterGOOD ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 268304389 (0xffe0005) Not Before: Dec 24 07:24:20 2018 GMT Not After : Dec 13 07:24:20 2020 GMT When I execute "ipa cert-show" on masterWRONG I get the following error: ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)
I have added a RHEL 7 client to the domain, but I can not add RHEL 6 clients. The CA master was masterWRONG and I have changed to masterGOOD with the procedure explained on https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Maste r But it still can not add RHEL 6 on the domain.
Which error do you see when trying to add a RHEL6 client to the domain? Please provide ipaclient-install.log.
HTH, flo
How can I fix the issue? Is that happening because I changed the auto-signed HTTP certificate to a 3rd party certificate?
Thanks & Regards.
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: Thursday, January 03, 2019 21:22 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I have run the tool on an environment where I’ve installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LD A P), and it complains when find the root certificate of my certificate:
# python2 ipa-checkcerts.py
ipa: INFO: IPA version 4.6.4-10.el7
IPA version 4.6.4-10.el7
ipa: INFO: Check CA status
Check CA status
ipa: INFO: Check tracking
Check tracking
ipa: INFO: Check NSS trust
Check NSS trust
Traceback (most recent call last):
File "ipa-checkcerts.py", line 931, in <module>
sys.exit(c.run())
File "ipa-checkcerts.py", line 190, in run
self.check_trust()
File "ipa-checkcerts.py", line 439, in check_trust
expected = expected_trust[nickname]
KeyError: 'ICC-root'
Is this normal?
No, I don't think I ever tested this scenario. I'll take a look.
I did confirm it also fails if you install CA-les.
I reproduced the error and worked around it. It should work now.
rob
Because I have tried to add a RHEL 6 client and I get the error:
" Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Valid From: Mon Jan 30 10:52:18 2017 UTC
Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"it is by design to provide
Use ipa-cacert-manage to install the CA of the 3rd party certs you added.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedo r ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
You are right, on the client /etc/ipa/ca.crt has just the IPA CA, but on the servers it has 3 certificates: - IPA CA - ICC-inter - ICC-root
The workaround didn’t work, despite it seems that reads the new file: 2019-01-11T10:28:35Z DEBUG trying to retrieve CA cert from file /tmp/ipa.crt 2019-01-11T10:28:35Z DEBUG CA cert provided by user, use it! 2019-01-11T10:28:36Z DEBUG args=/usr/sbin/ipa-join -s masterGOOD.ipa.testad.local -b dc=ipa,dc=testad,dc=local -d -h client.svc.company.org
But finally I got the same result: * About to connect() to masterGOOD.ipa.testad.local port 443 (#0) * Trying 192.168.107.171... * Connected to masterGOOD.ipa.testad.local (192.168.107.171) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/ipa/ca.crt CApath: none * Certificate is signed by an untrusted issuer: 'CN=COMPANY - Secure Server CA 1 - G2,DC=svs,DC=unicc,DC=org' * NSS error -8172 * Expire cleared * Closing connection #0 libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates 2019-01-11T10:28:36Z ERROR Joining realm failed: XML-RPC CALL:
Anyway, I have overwrited /etc/ipa/ca.crt with the file from the masters and then the installation was OK.
Now just I want to know: 1) can I do something to fix permanently the problem and not to copy the certificate on all new RHEL 6 servers before install client? 2) if the problem was caused because I installed wrongly the certificates. Can you please let me know the correct way? 3) if it is a bug. Has been fixed on newer releases or it is planned on future releases?
Thank you very much.
On 1/10/19 3:24 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Ipa cert-show is working now after copying the certificates, thanks.
The error I get is: Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
I have attached the full log with debug enabled, it complains about the certificate added for HTTP:
- About to connect() to masterGOOD.ipa.testad.local port 443 (#0)
- Trying 192.168.107.171... * Connected to masterGOOD.ipa.testad.local (192.168.107.171) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/ipa/ca.crt
What is the content of /etc/ipa/ca.crt on the client? I suspect it only contains the cert for "IPA.TESTAD.LOCAL IPA CA". IIRC correctly, RHEL 6 clients download the cert from cn=CAcert,cn=ipa,cn=etc,$BASEDN (and this entry contains only IPA CA, not the external CAs).
To workaround the issue, you can do the following: 1. copy /etc/ipa/ca.crt from the master to the client on /tmp/ipa.crt (the file should contain the IPA CA + ICC-root + ICC-Inter). 2. enroll the client by providing --ca-cert-file=/tmp/ipa.crt
HTH, flo
CApath: none
- Certificate is signed by an untrusted issuer: 'CN=company - Secure
Server CA 1 - G2,DC=svs,DC=company,DC=org' <---------------- this CA was added by me because is the CA of the cert for HTTPD
- NSS error -8172
- Expire cleared
- Closing connection #0
libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
2019-01-10T11:48:57Z ERROR Joining realm failed: XML-RPC CALL:
The certificates I have: [root@masterWRONG ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u CN=masterWRONG.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX u,u,u <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterWRONG.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterWRONG.ipa.testad.local (added by me)
[root@masterGOOD ipa]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI CN=masterGOOD.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX CTu,Cu,Cu <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterGOOD.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterGOOD.ipa.testad.local (added by me)
Thanks & Regards.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 10, 2019 10:03 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Rob Crittenden rcritten@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
On 1/9/19 4:21 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
Now it works and it shows the real problem I have. I have 2 master, I have changed the HTTP certificate on both (using ipa-cacert-manage, ipa-certupdate and ipa-server-certinstall as the manual says), but I one of them has som problems: [root@masterWRONG ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION (Invalid Credential.) ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected ipa: INFO: cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817094736 Unknown certmonger ids: 20170817094736
The certificates that complains: [root@masterGOOD ~]# ipa cert-show 2 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:52:18 2017 UTC Not After: Sun Jan 20 10:52:18 2019 UTC Serial number: 2 Serial number (hex): 0x2 Revoked: False [root@masterGOOD ~]# ipa cert-show 7 Issuing CA: ipa Certificate: MII.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:53:02 2017 UTC Not After: Sun Jan 20 10:53:02 2019 UTC Serial number: 7 Serial number (hex): 0x7 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MIID.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False
On the other master I get: [root@masterGOOD ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: Unable to find request for serial 268304389 Unable to find request for serial 268304389 ipa: INFO: Unable to find request for serial 268304388 Unable to find request for serial 268304388 ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304390 Unable to find request for serial 268304390 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817101613 Unknown certmonger ids: 20170817101613
Where the serials correspond the following certs: [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MI.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304388 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Audit,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:10 2018 UTC Not After: Sun Dec 13 07:25:10 2020 UTC Serial number: 268304388 Serial number (hex): 0xFFE0004 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304391 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:00 2018 UTC Not After: Sun Dec 13 07:25:00 2020 UTC Serial number: 268304391 Serial number (hex): 0xFFE0007 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304390 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:41 2018 UTC Not After: Sun Dec 13 07:24:41 2020 UTC Serial number: 268304390 Serial number (hex): 0xFFE0006 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304392 Issuing CA: ipa Certificate: MII.... Subject: CN=masterGOOD.ipa.testad.local,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Tue Dec 25 07:24:07 2018 UTC Not After: Mon Dec 14 07:24:07 2020 UTC Serial number: 268304392 Serial number (hex): 0xFFE0008 Revoked: False
I've checked that the following files are different on the 2 masters: /var/lib/ipa/ra-agent.key /var/lib/ipa/ra-agent.pem
It has been renewed on masterGOOD but not on masterWRONG:
You can manually copy ra-agent.key and ra-agent.pem from masterGOOD to masterWRONG (make a backup first of the files on masterWRONG). This should solve the 'ipa cert-show' issue on masterWRONG.
[root@masterWRONG ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 7 (0x7) Not Before: Jan 30 10:53:02 2017 GMT Not After : Jan 20 10:53:02 2019 GMT [root@masterGOOD ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 268304389 (0xffe0005) Not Before: Dec 24 07:24:20 2018 GMT Not After : Dec 13 07:24:20 2020 GMT When I execute "ipa cert-show" on masterWRONG I get the following error: ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)
I have added a RHEL 7 client to the domain, but I can not add RHEL 6 clients. The CA master was masterWRONG and I have changed to masterGOOD with the procedure explained on https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Mast e r But it still can not add RHEL 6 on the domain.
Which error do you see when trying to add a RHEL6 client to the domain? Please provide ipaclient-install.log.
HTH, flo
How can I fix the issue? Is that happening because I changed the auto-signed HTTP certificate to a 3rd party certificate?
Thanks & Regards.
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: Thursday, January 03, 2019 21:22 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I have run the tool on an environment where I’ve installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/L D A P), and it complains when find the root certificate of my certificate:
# python2 ipa-checkcerts.py
ipa: INFO: IPA version 4.6.4-10.el7
IPA version 4.6.4-10.el7
ipa: INFO: Check CA status
Check CA status
ipa: INFO: Check tracking
Check tracking
ipa: INFO: Check NSS trust
Check NSS trust
Traceback (most recent call last):
File "ipa-checkcerts.py", line 931, in <module>
sys.exit(c.run())
File "ipa-checkcerts.py", line 190, in run
self.check_trust()
File "ipa-checkcerts.py", line 439, in check_trust
expected = expected_trust[nickname]
KeyError: 'ICC-root'
Is this normal?
No, I don't think I ever tested this scenario. I'll take a look.
I did confirm it also fails if you install CA-les.
I reproduced the error and worked around it. It should work now.
rob
Because I have tried to add a RHEL 6 client and I get the error:
" Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Valid From: Mon Jan 30 10:52:18 2017 UTC
Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"it is by design to provide
Use ipa-cacert-manage to install the CA of the 3rd party certs you added.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fed o r ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedo r ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
On 1/11/19 12:12 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
You are right, on the client /etc/ipa/ca.crt has just the IPA CA, but on the servers it has 3 certificates:
- IPA CA
- ICC-inter
- ICC-root
The workaround didn’t work, despite it seems that reads the new file: 2019-01-11T10:28:35Z DEBUG trying to retrieve CA cert from file /tmp/ipa.crt 2019-01-11T10:28:35Z DEBUG CA cert provided by user, use it! 2019-01-11T10:28:36Z DEBUG args=/usr/sbin/ipa-join -s masterGOOD.ipa.testad.local -b dc=ipa,dc=testad,dc=local -d -h client.svc.company.org
But finally I got the same result:
- About to connect() to masterGOOD.ipa.testad.local port 443 (#0)
- Trying 192.168.107.171... * Connected to masterGOOD.ipa.testad.local (192.168.107.171) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/ipa/ca.crt CApath: none
- Certificate is signed by an untrusted issuer: 'CN=COMPANY - Secure Server CA 1 - G2,DC=svs,DC=unicc,DC=org'
- NSS error -8172
- Expire cleared
- Closing connection #0
libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates 2019-01-11T10:28:36Z ERROR Joining realm failed: XML-RPC CALL:
Anyway, I have overwrited /etc/ipa/ca.crt with the file from the masters and then the installation was OK.
Now just I want to know:
- can I do something to fix permanently the problem and not to copy the certificate on all new RHEL 6 servers before install client?
- if the problem was caused because I installed wrongly the certificates. Can you please let me know the correct way?
- if it is a bug. Has been fixed on newer releases or it is planned on future releases?
Hi,
this behavior is a limitation of RHEL 6, please see the note in "Managing certificates and certificate authorities" in IdM guide for RHEL 6 [1]: --- Using more than one certificate authority (CA) signing certificate within your IdM environment is not supported in Red Hat Enterprise Linux 6. To support this configuration, upgrade your IdM systems to Red Hat Enterprise Linux 7. ---
This has been solved in RHEL 7, and RHEL 7 clients are able to enroll even if multiple CAs are defined (IPA CA and the CA for the apache/ldap certs).
Hope this clarifies, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
Thank you very much.
On 1/10/19 3:24 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Ipa cert-show is working now after copying the certificates, thanks.
The error I get is: Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
I have attached the full log with debug enabled, it complains about the certificate added for HTTP:
- About to connect() to masterGOOD.ipa.testad.local port 443 (#0)
- Trying 192.168.107.171... * Connected to masterGOOD.ipa.testad.local (192.168.107.171) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/ipa/ca.crt
What is the content of /etc/ipa/ca.crt on the client? I suspect it only contains the cert for "IPA.TESTAD.LOCAL IPA CA". IIRC correctly, RHEL 6 clients download the cert from cn=CAcert,cn=ipa,cn=etc,$BASEDN (and this entry contains only IPA CA, not the external CAs).
To workaround the issue, you can do the following:
- copy /etc/ipa/ca.crt from the master to the client on /tmp/ipa.crt (the file should contain the IPA CA + ICC-root + ICC-Inter).
- enroll the client by providing --ca-cert-file=/tmp/ipa.crt
HTH, flo
CApath: none
- Certificate is signed by an untrusted issuer: 'CN=company - Secure
Server CA 1 - G2,DC=svs,DC=company,DC=org' <---------------- this CA was added by me because is the CA of the cert for HTTPD
- NSS error -8172
- Expire cleared
- Closing connection #0
libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
2019-01-10T11:48:57Z ERROR Joining realm failed: XML-RPC CALL:
The certificates I have: [root@masterWRONG ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u CN=masterWRONG.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX u,u,u <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterWRONG.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterWRONG.ipa.testad.local (added by me)
[root@masterGOOD ipa]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI CN=masterGOOD.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX CTu,Cu,Cu <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterGOOD.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterGOOD.ipa.testad.local (added by me)
Thanks & Regards.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 10, 2019 10:03 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Rob Crittenden rcritten@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
On 1/9/19 4:21 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
Now it works and it shows the real problem I have. I have 2 master, I have changed the HTTP certificate on both (using ipa-cacert-manage, ipa-certupdate and ipa-server-certinstall as the manual says), but I one of them has som problems: [root@masterWRONG ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION (Invalid Credential.) ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected ipa: INFO: cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817094736 Unknown certmonger ids: 20170817094736
The certificates that complains: [root@masterGOOD ~]# ipa cert-show 2 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:52:18 2017 UTC Not After: Sun Jan 20 10:52:18 2019 UTC Serial number: 2 Serial number (hex): 0x2 Revoked: False [root@masterGOOD ~]# ipa cert-show 7 Issuing CA: ipa Certificate: MII.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:53:02 2017 UTC Not After: Sun Jan 20 10:53:02 2019 UTC Serial number: 7 Serial number (hex): 0x7 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MIID.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False
On the other master I get: [root@masterGOOD ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: Unable to find request for serial 268304389 Unable to find request for serial 268304389 ipa: INFO: Unable to find request for serial 268304388 Unable to find request for serial 268304388 ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304390 Unable to find request for serial 268304390 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817101613 Unknown certmonger ids: 20170817101613
Where the serials correspond the following certs: [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MI.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304388 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Audit,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:10 2018 UTC Not After: Sun Dec 13 07:25:10 2020 UTC Serial number: 268304388 Serial number (hex): 0xFFE0004 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304391 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:00 2018 UTC Not After: Sun Dec 13 07:25:00 2020 UTC Serial number: 268304391 Serial number (hex): 0xFFE0007 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304390 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:41 2018 UTC Not After: Sun Dec 13 07:24:41 2020 UTC Serial number: 268304390 Serial number (hex): 0xFFE0006 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304392 Issuing CA: ipa Certificate: MII.... Subject: CN=masterGOOD.ipa.testad.local,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Tue Dec 25 07:24:07 2018 UTC Not After: Mon Dec 14 07:24:07 2020 UTC Serial number: 268304392 Serial number (hex): 0xFFE0008 Revoked: False
I've checked that the following files are different on the 2 masters: /var/lib/ipa/ra-agent.key /var/lib/ipa/ra-agent.pem
It has been renewed on masterGOOD but not on masterWRONG:
You can manually copy ra-agent.key and ra-agent.pem from masterGOOD to masterWRONG (make a backup first of the files on masterWRONG). This should solve the 'ipa cert-show' issue on masterWRONG.
[root@masterWRONG ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 7 (0x7) Not Before: Jan 30 10:53:02 2017 GMT Not After : Jan 20 10:53:02 2019 GMT [root@masterGOOD ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 268304389 (0xffe0005) Not Before: Dec 24 07:24:20 2018 GMT Not After : Dec 13 07:24:20 2020 GMT When I execute "ipa cert-show" on masterWRONG I get the following error: ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)
I have added a RHEL 7 client to the domain, but I can not add RHEL 6 clients. The CA master was masterWRONG and I have changed to masterGOOD with the procedure explained on https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Mast e r But it still can not add RHEL 6 on the domain.
Which error do you see when trying to add a RHEL6 client to the domain? Please provide ipaclient-install.log.
HTH, flo
How can I fix the issue? Is that happening because I changed the auto-signed HTTP certificate to a 3rd party certificate?
Thanks & Regards.
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: Thursday, January 03, 2019 21:22 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I have run the tool on an environment where I’ve installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/L D A P), and it complains when find the root certificate of my certificate:
# python2 ipa-checkcerts.py
ipa: INFO: IPA version 4.6.4-10.el7
IPA version 4.6.4-10.el7
ipa: INFO: Check CA status
Check CA status
ipa: INFO: Check tracking
Check tracking
ipa: INFO: Check NSS trust
Check NSS trust
Traceback (most recent call last):
File "ipa-checkcerts.py", line 931, in <module>
sys.exit(c.run())
File "ipa-checkcerts.py", line 190, in run
self.check_trust()
File "ipa-checkcerts.py", line 439, in check_trust
expected = expected_trust[nickname]
KeyError: 'ICC-root'
Is this normal?
No, I don't think I ever tested this scenario. I'll take a look.
I did confirm it also fails if you install CA-les.
I reproduced the error and worked around it. It should work now.
rob
Because I have tried to add a RHEL 6 client and I get the error:
" Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Valid From: Mon Jan 30 10:52:18 2017 UTC
Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"it is by design to provide
Use ipa-cacert-manage to install the CA of the 3rd party certs you added.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fed o r ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedo r ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Yes, it is clear. Thank you very much.
On 1/11/19 12:12 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
You are right, on the client /etc/ipa/ca.crt has just the IPA CA, but on the servers it has 3 certificates:
- IPA CA
- ICC-inter
- ICC-root
The workaround didn’t work, despite it seems that reads the new file: 2019-01-11T10:28:35Z DEBUG trying to retrieve CA cert from file /tmp/ipa.crt 2019-01-11T10:28:35Z DEBUG CA cert provided by user, use it! 2019-01-11T10:28:36Z DEBUG args=/usr/sbin/ipa-join -s masterGOOD.ipa.testad.local -b dc=ipa,dc=testad,dc=local -d -h client.svc.company.org
But finally I got the same result:
- About to connect() to masterGOOD.ipa.testad.local port 443 (#0)
- Trying 192.168.107.171... * Connected to masterGOOD.ipa.testad.local (192.168.107.171) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/ipa/ca.crt CApath: none
- Certificate is signed by an untrusted issuer: 'CN=COMPANY - Secure Server CA 1 - G2,DC=svs,DC=unicc,DC=org'
- NSS error -8172
- Expire cleared
- Closing connection #0
libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates 2019-01-11T10:28:36Z ERROR Joining realm failed: XML-RPC CALL:
Anyway, I have overwrited /etc/ipa/ca.crt with the file from the masters and then the installation was OK.
Now just I want to know:
- can I do something to fix permanently the problem and not to copy the certificate on all new RHEL 6 servers before install client?
- if the problem was caused because I installed wrongly the certificates. Can you please let me know the correct way?
- if it is a bug. Has been fixed on newer releases or it is planned on future releases?
Hi,
this behavior is a limitation of RHEL 6, please see the note in "Managing certificates and certificate authorities" in IdM guide for RHEL 6 [1]: --- Using more than one certificate authority (CA) signing certificate within your IdM environment is not supported in Red Hat Enterprise Linux 6. To support this configuration, upgrade your IdM systems to Red Hat Enterprise Linux 7. ---
This has been solved in RHEL 7, and RHEL 7 clients are able to enroll even if multiple CAs are defined (IPA CA and the CA for the apache/ldap certs).
Hope this clarifies, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
Thank you very much.
On 1/10/19 3:24 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Ipa cert-show is working now after copying the certificates, thanks.
The error I get is: Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
I have attached the full log with debug enabled, it complains about the certificate added for HTTP:
- About to connect() to masterGOOD.ipa.testad.local port 443 (#0)
- Trying 192.168.107.171... * Connected to masterGOOD.ipa.testad.local (192.168.107.171) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/ipa/ca.crt
What is the content of /etc/ipa/ca.crt on the client? I suspect it only contains the cert for "IPA.TESTAD.LOCAL IPA CA". IIRC correctly, RHEL 6 clients download the cert from cn=CAcert,cn=ipa,cn=etc,$BASEDN (and this entry contains only IPA CA, not the external CAs).
To workaround the issue, you can do the following:
- copy /etc/ipa/ca.crt from the master to the client on /tmp/ipa.crt (the file should contain the IPA CA + ICC-root + ICC-Inter).
- enroll the client by providing --ca-cert-file=/tmp/ipa.crt
HTH, flo
CApath: none
- Certificate is signed by an untrusted issuer: 'CN=company - Secure
Server CA 1 - G2,DC=svs,DC=company,DC=org' <---------------- this CA was added by me because is the CA of the cert for HTTPD
- NSS error -8172
- Expire cleared
- Closing connection #0
libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates
2019-01-10T11:48:57Z ERROR Joining realm failed: XML-RPC CALL:
The certificates I have: [root@masterWRONG ~]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u CN=masterWRONG.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX u,u,u <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterWRONG.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterWRONG.ipa.testad.local (added by me)
[root@masterGOOD ipa]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI CN=masterGOOD.ipa.testad.local,OU=OPPV,O=company,L=XXXX,ST=XXXX,C=XX CTu,Cu,Cu <------- the one I added it IPA.TESTAD.LOCAL IPA CA CT,C,C ICC-root C,, <--- root certificate of CN=masterGOOD.ipa.testad.local (added by me) ICC-Inter C,, <--- CA added of CN=masterGOOD.ipa.testad.local (added by me)
Thanks & Regards.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 10, 2019 10:03 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Rob Crittenden rcritten@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
On 1/9/19 4:21 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
Now it works and it shows the real problem I have. I have 2 master, I have changed the HTTP certificate on both (using ipa-cacert-manage, ipa-certupdate and ipa-server-certinstall as the manual says), but I one of them has som problems: [root@masterWRONG ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION (Invalid Credential.) ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected RA agent description does not match 2;268304389;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL in LDAP and 2;7;CN=Certificate Authority,O=IPA.TESTAD.LOCAL;CN=IPA RA,O=IPA.TESTAD.LOCAL expected ipa: INFO: cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) cert-show of 1 failed: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817094736 Unknown certmonger ids: 20170817094736
The certificates that complains: [root@masterGOOD ~]# ipa cert-show 2 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:52:18 2017 UTC Not After: Sun Jan 20 10:52:18 2019 UTC Serial number: 2 Serial number (hex): 0x2 Revoked: False [root@masterGOOD ~]# ipa cert-show 7 Issuing CA: ipa Certificate: MII.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Jan 30 10:53:02 2017 UTC Not After: Sun Jan 20 10:53:02 2019 UTC Serial number: 7 Serial number (hex): 0x7 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MIID.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False
On the other master I get: [root@masterGOOD ~]# python2 ipa-checkcerts.py ipa: INFO: IPA version 4.6.4-10.el7 IPA version 4.6.4-10.el7 ipa: INFO: Check CA status Check CA status ipa: INFO: Check tracking Check tracking ipa: INFO: Check NSS trust Check NSS trust ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Check dates Check dates ipa: INFO: Checking certificates in CS.cfg Checking certificates in CS.cfg ICC-root not found, assuming 3rd party ICC-Inter not found, assuming 3rd party ipa: INFO: Comparing certificates to requests in LDAP Comparing certificates to requests in LDAP ipa: INFO: Checking RA certificate Checking RA certificate ipa: INFO: Checking authorities Checking authorities ipa: INFO: Checking host keytab Checking host keytab ipa: INFO: Validating certificates Validating certificates ipa: INFO: Checking renewal master Checking renewal master ipa: INFO: End-to-end cert API test End-to-end cert API test ipa: INFO: Checking permissions and ownership Checking permissions and ownership ipa: INFO: Failures: Failures: ipa: INFO: Unable to find request for serial 268304389 Unable to find request for serial 268304389 ipa: INFO: Unable to find request for serial 268304388 Unable to find request for serial 268304388 ipa: INFO: Unable to find request for serial 268304391 Unable to find request for serial 268304391 ipa: INFO: Unable to find request for serial 268304390 Unable to find request for serial 268304390 ipa: INFO: Unable to find request for serial 268304392 Unable to find request for serial 268304392 ipa: INFO: Warnings: Warnings: ipa: INFO: Unknown certmonger ids: 20170817101613 Unknown certmonger ids: 20170817101613
Where the serials correspond the following certs: [root@masterGOOD ~]# ipa cert-show 268304389 Issuing CA: ipa Certificate: MI.... Subject: CN=IPA RA,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:20 2018 UTC Not After: Sun Dec 13 07:24:20 2020 UTC Serial number: 268304389 Serial number (hex): 0xFFE0005 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304388 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Audit,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:10 2018 UTC Not After: Sun Dec 13 07:25:10 2020 UTC Serial number: 268304388 Serial number (hex): 0xFFE0004 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304391 Issuing CA: ipa Certificate: MII.... Subject: CN=OCSP Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:25:00 2018 UTC Not After: Sun Dec 13 07:25:00 2020 UTC Serial number: 268304391 Serial number (hex): 0xFFE0007 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304390 Issuing CA: ipa Certificate: MII.... Subject: CN=CA Subsystem,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Mon Dec 24 07:24:41 2018 UTC Not After: Sun Dec 13 07:24:41 2020 UTC Serial number: 268304390 Serial number (hex): 0xFFE0006 Revoked: False [root@masterGOOD ~]# ipa cert-show 268304392 Issuing CA: ipa Certificate: MII.... Subject: CN=masterGOOD.ipa.testad.local,O=IPA.TESTAD.LOCAL Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL Not Before: Tue Dec 25 07:24:07 2018 UTC Not After: Mon Dec 14 07:24:07 2020 UTC Serial number: 268304392 Serial number (hex): 0xFFE0008 Revoked: False
I've checked that the following files are different on the 2 masters: /var/lib/ipa/ra-agent.key /var/lib/ipa/ra-agent.pem
It has been renewed on masterGOOD but not on masterWRONG:
You can manually copy ra-agent.key and ra-agent.pem from masterGOOD to masterWRONG (make a backup first of the files on masterWRONG). This should solve the 'ipa cert-show' issue on masterWRONG.
[root@masterWRONG ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 7 (0x7) Not Before: Jan 30 10:53:02 2017 GMT Not After : Jan 20 10:53:02 2019 GMT [root@masterGOOD ~]# openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | egrep "Serial|Not" Serial Number: 268304389 (0xffe0005) Not Before: Dec 24 07:24:20 2018 GMT Not After : Dec 13 07:24:20 2020 GMT When I execute "ipa cert-show" on masterWRONG I get the following error: ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)
I have added a RHEL 7 client to the domain, but I can not add RHEL 6 clients. The CA master was masterWRONG and I have changed to masterGOOD with the procedure explained on https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Mas t e r But it still can not add RHEL 6 on the domain.
Which error do you see when trying to add a RHEL6 client to the domain? Please provide ipaclient-install.log.
HTH, flo
How can I fix the issue? Is that happening because I changed the auto-signed HTTP certificate to a 3rd party certificate?
Thanks & Regards.
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: Thursday, January 03, 2019 21:22 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Testing requested - certificate checking tool
Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I have run the tool on an environment where I’ve installed my own certificate for HTTPS (following this tutorial: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/ L D A P), and it complains when find the root certificate of my certificate:
# python2 ipa-checkcerts.py
ipa: INFO: IPA version 4.6.4-10.el7
IPA version 4.6.4-10.el7
ipa: INFO: Check CA status
Check CA status
ipa: INFO: Check tracking
Check tracking
ipa: INFO: Check NSS trust
Check NSS trust
Traceback (most recent call last):
File "ipa-checkcerts.py", line 931, in <module>
sys.exit(c.run())
File "ipa-checkcerts.py", line 190, in run
self.check_trust()
File "ipa-checkcerts.py", line 439, in check_trust
expected = expected_trust[nickname]
KeyError: 'ICC-root'
Is this normal?
No, I don't think I ever tested this scenario. I'll take a look.
I did confirm it also fails if you install CA-les.
I reproduced the error and worked around it. It should work now.
rob
Because I have tried to add a RHEL 6 client and I get the error:
" Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL
Valid From: Mon Jan 30 10:52:18 2017 UTC
Valid Until: Fri Jan 30 10:52:18 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates"it is by design to provide
Use ipa-cacert-manage to install the CA of the 3rd party certs you added.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fe d o r ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fed o r ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedo r ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
freeipa-users@lists.fedorahosted.org