On Wed, Oct 09, 2019 at 08:58:14PM -0500, Kevin Vasko wrote:
Seems to happen on both Ubuntu 16.04 and 18.04.
$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.6 LTS Release: 16.04 Codename: xenial
$ firefox --version Mozilla Firefox 67.0.4
freeipa-client/xenial,now 4.3.1-0ubuntu1 amd64 [installed] freeipa-common/xenial,xenial,now 4.3.1-0ubuntu1 all [installed,automatic] firefox/now 67.0.4+build1-0ubuntu0.16.04.1 amd64
Ubuntu 18.04 machine:
$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.3 LTS Release: 18.04 Codename: bionic
freeipa-client/bionic,now 4.7.0~pre1+git20180411-2ubuntu2 amd64 [installed] freeipa-common/bionic,bionic,now 4.7.0~pre1+git20180411-2ubuntu2 all [installed,automatic] firefox/bionic-updates,bionic-security,now 69.0.2+build1-0ubuntu0.18.04.1 amd64 [installed]
Where is the system trust store located? I was going to validate that the freeipa ca.crt is added to the system trust store. If its not there how do you add the ca.crt to the system trust store?
Should the ipa-install-client command add the system wide trust store?
Thanks for the details. I do not know about system trust on Ubuntu. It could be that ipa-client on Ubuntu does add the IPA CA to system trust, but the Firefox/Chrome packages ignore the system trust store.
Hopefully someone more familiar with Ubuntu can clarify.
Cheers, Fraser
I'll try this on CentOS tomorrow to see if its just an Ubuntu issue.
On Wed, Oct 9, 2019 at 8:25 PM Fraser Tweedale ftweedal@redhat.com wrote:
On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users wrote:
Hello,
I’m wanting to make our https servers use a trusted certificate within our LAN only. So for example if I have websrv1.ny.example.com when a user uses a machine that’s enrolled into our realm and they visit https://websrv1.ny.example.com they shouldn’t be prompted to accept the self signed certificate.
I think I’m pretty close but I’m missing a small part.
The ipa server is all setup and working. Hosts are enrolled to ipa and have the /etc/ipa/ca.crt.
I have created a service for the http server in IPA. I have obtained a .key file and .crt file for my web server. Those keys for the web server are in the appropriate location and the web server is pointing at the certs correctly.
On my clients when I go to the web servers URl I am no longer getting a “self signed cert” error message in the browser.
That message has now changed to “unverified certificate authority”. Which basically indicates to me that the browser doesn’t know if this certificate authority should/can be trusted.
If i go in the browser (firefox or chrome) in the certificate authority section and import the /etc/ipa/ca.crt i get no errors in the browser about it being unverified.
So my question is, what am I missing to make the /etc/ipa/ca.crt file globally available for browsers to pick up the certificate automatically?
when we enroll a host we simply do
freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir
Accept the defaults, put in the password to enroll and that’s it. Is there something I’m missing?
-Kevin
Looks like the browser is not using the system trust store. Please provide full details of operating system and package versions for both freeipa and browser packages.
Cheers, Fraser