Sigbjorn Lie wrote:
On what machine are you trying to use the ipa tool? Is it one of the
masters, all of them, enrolled clients?
It's the same error message when the "ipa" command is run directly on any of
the masters.
And it's the same error message if I run the "ipa" command on any of the
clients.
I do not have a working "ipa" command anywhere anymore.
Ok, let's test out the cert that ipa is using. Try this on any one of
the masters:
$ curl https://`hostname`/ipa/xml
Should fail with Peer certificate cannot be authenticated with known CA
certificates
$ curl --cacert /etc/ipa/ca.crt https://`hostname`/ipa/xml
Should succeed in that you get the "you are not logged in" HTML page
Ok, now unfortunately curl only handles the sql-style NSS databases so
we can't fully reproduce it the same way that the IPA client is doing
things, but here is an approximation:
# certutil -A -d sql:/etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i
/etc/ipa/ca.crt
$ curl https://`hostname`/ipa/xml
You should see the login page HTML
If you stick a -v in there it'll give you more verbose output which
would be useful if any of these fail in an unexpected way.
Whatever is going on isn't likely related to the web server Apache
database as you get the same error out of each one. The client log you sent
confirmed that it tried
to contact each master. The SSL error we're getting is that the client doesn't
trust the CA that
signed the server certificate so this appears to be a problem on the client,
which begs the
question: all clients or just this one?
All clients.
NSS is smart enough to handle multiple certificates, it should pick the
newest one on startup.
Ok.
Where do you suggest I continue troubleshooting this issue?
We can also tackle this on the server side. Let's verify the server cert:
# certutil -V -u V -n Server-Cert -d /etc/httpd/alias
This is verified on server startup so I expect it to be valid, but
doesn't hurt to try.
Restarting the Apache process might be something to try as changes to
the NSS database aren't picked up until a restart.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
