On Thu, Jul 13, 2017 at 09:57:04AM -0400, Mark Haney via FreeIPA-users wrote:
> On 07/12/2017 08:34 PM, Fraser Tweedale wrote:
> > 
> > Which version(s) of FreeIPA?
> ipa-server-4.4.0-14.el7.centos.7.x86_64
> > 
> > Which service(s) (HTTP, LDAP?).
> HTTPS.  I haven't checked LDAPS yet.  It appears this is only related to
> HTTPS.  To give a bit of backstory, the primary host [ipa0] was installed
> and configured a couple of months before I came on board here (which was in
> early April). One of my first tasks was to build a replica of ipa0 (wackily
> named ipa1) for redundancy.
> > 
> > What client program(s) were used to contact the servers?  (The same
> > client, or different?)  Has the IPA CA cert been properly installed
> > for the relevant clients / client systems?
> I've not even tried to connect clients yet, this is solely related to the
> web browser complaining about the connection to the admin panel being
> insecure on ipa1, but not ipa0.  ipa0 has a valid not self-signed wildcard
> cert on it.  SO, either the process I used to build the replica and get it
> synced was incorrect, or the process doesn't include valid non-self-signed
> HTTPS certs.  That's where I'm at now.
>
OK, I think I understand.

ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been
set up with a certificate issued by the IPA CA, which your browser
does not trust.

There are two ways forward here:

1.  You can use ipa-server-certinstall to install a 3rd-party (i.e.
not issued by the IPA CA but by a CA trusted by clients - including
browsers - in your organisation) certificate for the HTTP service.
This seems to be how ipa0 is set up so you might want to do that for
consistency.

2.  Add the IPA CA certificate to your browser as a trusted CA.  If
you need all clients (including users' browsers) in your
organisation to trust certs issued by your FreeIPA CA, then you need
to work out how to push the IPA CA out to all of them, or you need
to chain the IPA CA to a CA that they already trust (e.g.
organisations with Active Directory often chain their IPA CA up to
the AD CA).

HTH,
Fraser

> > 
> > Can you show us the good / bad certs?
> > 
> > {{There are a lot of things to check when diagnosing PKI problems!}}
> > 
> > Thanks,
> > Fraser
> 
> 
> -- 
> Mark Haney
> Network Engineer at NeoNova
> 919-460-3330 option 1
> mark.ha...@neonova.net
> www.neonova.net
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to