Rob Crittenden via FreeIPA-users wrote: > SOLER SANGUESA Miguel via FreeIPA-users wrote: >> Hello, >> >> >> >> I have run the tool on an environment where I’ve installed my own >> certificate for HTTPS (following this tutorial: >> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP), >> and it complains when find the root certificate of my certificate: >> >> # python2 ipa-checkcerts.py >> >> ipa: INFO: IPA version 4.6.4-10.el7 >> >> IPA version 4.6.4-10.el7 >> >> ipa: INFO: Check CA status >> >> Check CA status >> >> ipa: INFO: Check tracking >> >> Check tracking >> >> ipa: INFO: Check NSS trust >> >> Check NSS trust >> >> Traceback (most recent call last): >> >> File "ipa-checkcerts.py", line 931, in <module> >> >> sys.exit(c.run()) >> >> File "ipa-checkcerts.py", line 190, in run >> >> self.check_trust() >> >> File "ipa-checkcerts.py", line 439, in check_trust >> >> expected = expected_trust[nickname] >> >> KeyError: 'ICC-root' >> >> >> >> Is this normal? > > No, I don't think I ever tested this scenario. I'll take a look. > > I did confirm it also fails if you install CA-les.
I reproduced the error and worked around it. It should work now. rob > >> Because I have tried to add a RHEL 6 client and I get the error: >> >> " Successfully retrieved CA cert >> >> Subject: CN=Certificate Authority,O=IPA.TESTAD.LOCAL >> >> Issuer: CN=Certificate Authority,O=IPA.TESTAD.LOCAL >> >> Valid From: Mon Jan 30 10:52:18 2017 UTC >> >> Valid Until: Fri Jan 30 10:52:18 2037 UTC >> >> >> >> Joining realm failed: libcurl failed to execute the HTTP POST >> transaction. Peer certificate cannot be authenticated with known CA >> certificates"it is by design to provide > > Use ipa-cacert-manage to install the CA of the 3rd party certs you added. > > rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org