/etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority All the certs monitored by Certmonger show the same issuer.
Wasn't getting anything back when running the ipahost script you provided, ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo $ipahost shows nothing so I just ran the openssl section manually: openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https -showcerts < /dev/null Results: CONNECTED(00000003) depth=1 O = CTIDATA.NET, CN = Certificate Authority verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net verify error:num=10:certificate has expired notAfter=Mar 24 19:56:36 2013 GMT verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net notAfter=Mar 24 19:56:36 2013 GMT verify return:1 --- Certificate chain 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net i:/O=CTIDATA.NET/CN=Certificate Authority -----BEGIN CERTIFICATE----- ##### -----END CERTIFICATE----- 1 s:/O=CTIDATA.NET/CN=Certificate Authority i:/O=CTIDATA.NET/CN=Certificate Authority -----BEGIN CERTIFICATE----- #### -----END CERTIFICATE----- --- Server certificate subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net issuer=/O=CTIDATA.NET/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1959 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: ##### Session-ID-ctx: Master-Key: #### Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1367518514 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- DONE On Thu, May 2, 2013 at 12:53 PM, Nalin Dahyabhai <na...@redhat.com> wrote: > On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote: > > Here is the output from the submit: > > > > /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr > > Submitting request to "https://ipa01.ctidata.net/ipa/xml". > > Fault -504: (libcurl failed to execute the HTTP POST transaction, > > explaining: Peer certificate cannot be authenticated with known CA > > certificates). > > Server failed request, will retry: -504 (libcurl failed to execute the > HTTP > > POST transaction, explaining: Peer certificate cannot be authenticated > > with known CA certificates). > > > > Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July > > 6, 2019. > > Hmm, so for both cases, you're seeing errors verifying the IPA server's > certificate. Can you double-check the certificates and that the > server's looks like it was issued by the CA? > > This should more or less repeat the part of the process that's giving > libcurl trouble, and show us the certificates, too: > > ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` > openssl s_client -CAfile /etc/ipa/ca.crt \ > -connect $ipahost:https -showcerts < /dev/null > > Nalin >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users