SOLER SANGUESA Miguel via FreeIPA-users wrote: > Hello, > > > > I have run the tool on an environment where I’ve installed my own > certificate for HTTPS (following this tutorial: > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP), > and it complains when find the root certificate of my certificate: > > # python2 ipa-checkcerts.py > > ipa: INFO: IPA version 4.6.4-10.el7 > > IPA version 4.6.4-10.el7 > > ipa: INFO: Check CA status > > Check CA status > > ipa: INFO: Check tracking > > Check tracking > > ipa: INFO: Check NSS trust > > Check NSS trust > > Traceback (most recent call last): > > File "ipa-checkcerts.py", line 931, in <module> > > sys.exit(c.run()) > > File "ipa-checkcerts.py", line 190, in run > > self.check_trust() > > File "ipa-checkcerts.py", line 439, in check_trust > > expected = expected_trust[nickname] > > KeyError: 'ICC-root' > > > > Is this normal?
No, I don't think I ever tested this scenario. I'll take a look. I did confirm it also fails if you install CA-les. > Because I have tried to add a RHEL 6 client and I get the error: > > " Successfully retrieved CA cert > > Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL > > Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL > > Valid From: Mon Jan 30 10:52:18 2017 UTC > > Valid Until: Fri Jan 30 10:52:18 2037 UTC > > > > Joining realm failed: libcurl failed to execute the HTTP POST > transaction. Peer certificate cannot be authenticated with known CA > certificates" Use ipa-cacert-manage to install the CA of the 3rd party certs you added. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org