Hi folks, one question. These days I join my machine into IPA. Almost all machine have Ubuntu 18.04. I jointed about 10 machine in last two days. Today I tried to join Debian 8 jessie but I have problem.
All machine I join with same command:
ipa-client-install -U —domain=example.com —hostname=clientexample.com —server=ipa.example.com —realm=EXAMPLE.com —password=XXXxxxXXX --principal=admin —mkhomedir
On Debian machine I got this error in process of join:
Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json' cert validation failed for “CN=ipa.example.com" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) Cannot connect to the server due to generic error: cannot connect to ' https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. Installation failed. Rolling back changes.
Some help?
Petar
Petar Kozić via FreeIPA-users wrote:
Hi folks, one question. These days I join my machine into IPA. Almost all machine have Ubuntu 18.04. I jointed about 10 machine in last two days. Today I tried to join Debian 8 jessie but I have problem.
All machine I join with same command:
ipa-client-install -U —domain=example.com http://example.com —hostname=clientexample.com http://clientexample.com —server=ipa.example.com http://ipa.example.com —realm=EXAMPLE.com —password=XXXxxxXXX --principal=admin —mkhomedir
On Debian machine I got this error in process of join:
Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json' cert validation failed for “CN=ipa.example.com http://ipa.example.com" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) Cannot connect to the server due to generic error: cannot connect to 'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. Installation failed. Rolling back changes.
Some help?
We need more information on your CA chain configuration and what version's of IPA you're using.
For example, is your CA a typical IPA self-signed CA or did you sign it with another CA?
rob
Rob Crittenden via FreeIPA-users wrote:
Petar Kozić via FreeIPA-users wrote:
Hi folks, one question. These days I join my machine into IPA. Almost all machine have Ubuntu 18.04. I jointed about 10 machine in last two days. Today I tried to join Debian 8 jessie but I have problem.
All machine I join with same command:
ipa-client-install -U —domain=example.com http://example.com —hostname=clientexample.com http://clientexample.com —server=ipa.example.com http://ipa.example.com —realm=EXAMPLE.com —password=XXXxxxXXX --principal=admin —mkhomedir
On Debian machine I got this error in process of join:
Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json' cert validation failed for “CN=ipa.example.com http://ipa.example.com" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) Cannot connect to the server due to generic error: cannot connect to 'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. Installation failed. Rolling back changes.
Some help?
We need more information on your CA chain configuration and what version's of IPA you're using.
For example, is your CA a typical IPA self-signed CA or did you sign it with another CA?
And information on what CA issued the web and LDAP server certificates.
rob
Petar Kozić via FreeIPA-users wrote:
Hi folks, one question. These days I join my machine into IPA. Almost all machine have Ubuntu 18.04. I jointed about 10 machine in last two days. Today I tried to join Debian 8 jessie but I have problem.
All machine I join with same command:
ipa-client-install -U —domain=example.com http://example.com —hostname=clientexample.com http://clientexample.com —server=ipa.example.com http://ipa.example.com —realm=EXAMPLE.com —password=XXXxxxXXX --principal=admin —mkhomedir
On Debian machine I got this error in process of join:
Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json' cert validation failed for “CN=ipa.example.com http://ipa.example.com" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) Cannot connect to the server due to generic error: cannot connect to 'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. Installation failed. Rolling back changes.
Some help?
We need more information on your CA chain configuration and what version's of IPA you're using.
For example, is your CA a typical IPA self-signed CA or did you sign it with another CA?
rob
Ipa version:
FreeIPA 4.7
CA isn’t self-signed. I generate Let’s encrypt SSL and make chain CA which is imported in IPA.
On all Ubuntu 18.04 works perfect but this Debian 8 jessie don’t support native from repo freeipa-client and maybe that is also problem. I found some repo for freeipa client
deb http://apt.numeezy.fr jessie main
deb-src http://apt.numeezy.fr jessie main
and I installed from there.
Petar Kozić via FreeIPA-users wrote:
Petar Kozić via FreeIPA-users wrote:
Hi folks, one question. These days I join my machine into IPA. Almost all machine have Ubuntu 18.04. I jointed about 10 machine in last two days. Today I tried to join Debian 8 jessie but I have problem. All machine I join with same command: ipa-client-install -U —domain=example.com http://example.com http://example.com —hostname=clientexample.com http://clientexample.com http://clientexample.com —server=ipa.example.com http://ipa.example.com http://ipa.example.com
—realm=EXAMPLE.com
—password=XXXxxxXXX --principal=admin —mkhomedir On Debian machine I got this error in process of join: Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json%27%C2%A0 cert validation failed for “CN=ipa.example.com http://ipa.example.com http://ipa.example.com" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) Cannot connect to the server due to generic error: cannot connect to 'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. Installation failed. Rolling back changes. Some help?
We need more information on your CA chain configuration and what version's of IPA you're using.
For example, is your CA a typical IPA self-signed CA or did you sign it with another CA?
rob
Ipa version:
FreeIPA 4.7
CA isn’t self-signed. I generate Let’s encrypt SSL and make chain CA which is imported in IPA.
On all Ubuntu 18.04 works perfect but this Debian 8 jessie don’t support native from repo freeipa-client and maybe that is also problem. I found some repo for freeipa client
deb http://apt.numeezy.fr jessie main
deb-src http://apt.numeezy.fr jessie main
and I installed from there.
Assuming it picks the latest it means you have 4.6.4.
You might try installing the Let's Encrypt root CA's onto your client prior to running ipa-client-install.
Otherwise I think we'd need to see /var/log/ipaclient-install.log to see the CA chain being retrieved. Sounds like it is incomplete but unclear why.
rob
Here is the log files. I just want to inform you that I have that problem now also on Ubuntu 14.40 and Debian 8. On Ubuntu ipa client version is 3.3, maybe problem is there.
In mean time I enrolled several more Ubuntu 18.04 instances without problem.
On this Debian 8 and Ubuntu 14.40 I just try with options —ca-cert-file which I copied from master but same error.
Thank you
Petar
2019-05-20T11:13:47Z DEBUG [IPA Discovery]
2019-05-20T11:13:47Z DEBUG Starting IPA discovery with domain=example.com, servers=['myipaserver.example.com'], hostname=myclient.example.net
2019-05-20T11:13:47Z DEBUG Server and domain forced
2019-05-20T11:13:47Z DEBUG [Kerberos realm search]
2019-05-20T11:13:47Z DEBUG Search DNS for TXT record of _ kerberos.example.com
2019-05-20T11:13:47Z DEBUG DNS record not found: NXDOMAIN
2019-05-20T11:13:47Z DEBUG [LDAP server check]
2019-05-20T11:13:47Z DEBUG Verifying that myipaserver.example.com (realm None) is an IPA server
2019-05-20T11:13:47Z DEBUG Init LDAP connection to: myipaserver.example.com
2019-05-20T11:13:48Z DEBUG Search LDAP server for IPA base DN
2019-05-20T11:13:49Z DEBUG Check if naming context 'dc=example,dc=com' is for IPA
2019-05-20T11:13:49Z DEBUG Naming context 'dc=example,dc=com' is a valid IPA context
2019-05-20T11:13:49Z DEBUG Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)
2019-05-20T11:13:49Z DEBUG Found: cn=example.com ,cn=kerberos,dc=example,dc=com
2019-05-20T11:13:49Z DEBUG Discovery result: Success; server= myipaserver.example.com, domain=example.com, kdc=None, basedn=dc=example,dc=com
2019-05-20T11:13:49Z DEBUG Validated servers: myipaserver.example.com
2019-05-20T11:13:49Z DEBUG will use discovered domain: example.com
2019-05-20T11:13:49Z DEBUG Using servers from command line, disabling DNS discovery
2019-05-20T11:13:49Z DEBUG will use provided server: myipaserver.example.com
2019-05-20T11:13:49Z DEBUG will use discovered realm: example.com
2019-05-20T11:13:49Z DEBUG will use discovered basedn: dc=example,dc=com
2019-05-20T11:13:49Z INFO Hostname: myclient.example.net
2019-05-20T11:13:49Z DEBUG Hostname source: Provided as option
2019-05-20T11:13:49Z INFO Realm: example.com
2019-05-20T11:13:49Z DEBUG Realm source: Discovered from LDAP DNS records in myipaserver.example.com
2019-05-20T11:13:49Z INFO DNS Domain: example.com
2019-05-20T11:13:49Z DEBUG DNS Domain source: Forced
2019-05-20T11:13:49Z INFO IPA Server: myipaserver.example.com
2019-05-20T11:13:49Z DEBUG IPA Server source: Provided as option
2019-05-20T11:13:49Z INFO BaseDN: dc=example,dc=com
2019-05-20T11:13:49Z DEBUG BaseDN source: From IPA server ldap:// myipaserver.example.com:389
2019-05-20T11:13:49Z DEBUG Starting external process
2019-05-20T11:13:49Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r example.com
2019-05-20T11:13:49Z DEBUG Process finished, return code=5
2019-05-20T11:13:49Z DEBUG stdout=
2019-05-20T11:13:49Z DEBUG stderr=realm not found
2019-05-20T11:13:49Z DEBUG Starting external process
2019-05-20T11:13:49Z DEBUG args=/bin/hostname myclient.example.net
2019-05-20T11:13:49Z DEBUG Process finished, return code=0
2019-05-20T11:13:49Z DEBUG stdout=
2019-05-20T11:13:49Z DEBUG stderr=
2019-05-20T11:13:49Z DEBUG Backing up system configuration file '/etc/hostname'
2019-05-20T11:13:49Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-05-20T11:13:49Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2019-05-20T11:13:49Z INFO Synchronizing time with KDC...
2019-05-20T11:13:49Z DEBUG Search DNS for SRV record of _ntp._ udp.example.com
2019-05-20T11:13:50Z DEBUG DNS record not found: NXDOMAIN
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v myipaserver.example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=1
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v myipaserver.example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=1
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v myipaserver.example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=1
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=keyctl get_persistent @s 0
2019-05-20T11:13:50Z DEBUG Process finished, return code=2
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=Unknown command
2019-05-20T11:13:50Z DEBUG Writing Kerberos configuration to /tmp/tmpJH6hjP:
2019-05-20T11:13:50Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = example.com
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
example.com = {
kdc = myipaserver.example.com:88
master_kdc = myipaserver.example.com:88
admin_server = myipaserver.example.com:749
default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com = example.com
example.com = example.com
.clientexample.com = example.com
clientexample.com = example.com
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=kinit admin@example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=0
2019-05-20T11:13:50Z DEBUG stdout=Password for admin@example.com:
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z DEBUG trying to retrieve CA cert from file /tmp/ca.crt
2019-05-20T11:13:50Z DEBUG CA cert provided by user, use it!
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ipa-join -s myipaserver.example.com -b dc=example,dc=com -h myclient.example.net -f
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=
2019-05-20T11:13:54Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=example.com
2019-05-20T11:13:54Z INFO Enrolled in IPA realm example.com
2019-05-20T11:13:54Z DEBUG Starting external process
2019-05-20T11:13:54Z DEBUG args=kdestroy
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=
2019-05-20T11:13:54Z DEBUG stderr=
2019-05-20T11:13:54Z DEBUG Starting external process
2019-05-20T11:13:54Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/ myclient.example.net@example.com
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=
2019-05-20T11:13:54Z DEBUG stderr=
2019-05-20T11:13:54Z DEBUG Backing up system configuration file '/etc/ipa/default.conf'
2019-05-20T11:13:54Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist
2019-05-20T11:13:54Z INFO Created /etc/ipa/default.conf
2019-05-20T11:13:54Z DEBUG importing all plugin modules in '/usr/lib/python2.7/dist-packages/ipalib/plugins'...
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/aci.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/automember.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/automount.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/baseldap.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/batch.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/config.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/delegation.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/dns.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/group.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacrule.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvc.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvcgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbactest.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/host.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hostgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/idrange.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/internal.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/kerberos.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/krbtpolicy.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/migration.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/misc.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/netgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/passwd.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/permission.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/ping.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/pkinit.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/privilege.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/pwpolicy.py'
2019-05-20T11:13:54Z DEBUG Starting external process
2019-05-20T11:13:54Z DEBUG args=klist -V
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=Kerberos 5 version 1.12
2019-05-20T11:13:54Z DEBUG stderr=
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/realmdomains.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/role.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/selfservice.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/selinuxusermap.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/service.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmd.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmdgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudorule.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/trust.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/user.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/virtual.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/xmlclient.py'
2019-05-20T11:13:55Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'
2019-05-20T11:13:55Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
2019-05-20T11:13:55Z INFO New SSSD config will be created
2019-05-20T11:13:55Z INFO Configured /etc/sssd/sssd.conf
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=/usr/bin/certutil -A -d sql:/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2019-05-20T11:13:55Z DEBUG Process finished, return code=0
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=
2019-05-20T11:13:55Z DEBUG Backing up system configuration file '/etc/krb5.conf'
2019-05-20T11:13:55Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=keyctl get_persistent @s 0
2019-05-20T11:13:55Z DEBUG Process finished, return code=2
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=Unknown command
2019-05-20T11:13:55Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
2019-05-20T11:13:55Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = example.com
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
example.com = {
kdc = myipaserver.example.com:88
master_kdc = myipaserver.example.com:88
admin_server = myipaserver.example.com:749
default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com = example.com
example.com = example.com
.clientexample.com = example.com
clientexample.com = example.com
2019-05-20T11:13:55Z INFO Configured /etc/krb5.conf for IPA realm example.com
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=keyctl search @s user ipa_session_cookie:host/myclient.example.net@example.com
2019-05-20T11:13:55Z DEBUG Process finished, return code=1
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=keyctl_search: Required key not available
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=keyctl search @s user ipa_session_cookie:host/myclient.example.net@example.com
2019-05-20T11:13:55Z DEBUG Process finished, return code=1
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=keyctl_search: Required key not available
2019-05-20T11:13:55Z DEBUG failed to find session_cookie in persistent storage for principal 'host/myclient.example.net@example.com'
2019-05-20T11:13:56Z DEBUG trying https://myipaserver.example.com/ipa/xml
2019-05-20T11:13:56Z DEBUG Created connection context.xmlclient
2019-05-20T11:13:56Z DEBUG Try RPC connection
2019-05-20T11:13:56Z DEBUG Forwarding 'ping' to server ' https://myipaserver.example.com/ipa/xml'
2019-05-20T11:13:56Z DEBUG NSSConnection init myipaserver.example.com
2019-05-20T11:13:56Z DEBUG Connecting: 94.130.154.230:0
2019-05-20T11:13:56Z DEBUG auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 337206521890680437858189420391339302183775 (0x3def5fdcb91c7146fc7d3cb8c096bd5e35f)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Validity:
Not Before: Fri Apr 05 07:19:18 2019 UTC
Not After : Thu Jul 04 07:19:18 2019 UTC
Subject: CN=myipaserver.example.com
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
b4:68:c6:c8:b4:4f:df:50:5a:f0:00:4b:ea:09:9d:77:
1c:20:20:b6:ce:d7:64:24:c8:ec:65:ad:69:de:a1:ea:
b4:a1:d6:4e:46:88:d5:e5:ea:e6:9c:70:d8:8a:00:7e:
cd:c0:0f:2e:e7:e5:1f:3e:72:00:81:ab:b8:58:90:89:
f6:81:ee:6a:87:f4:85:34:32:46:5f:0e:45:5c:05:69
Exponent: 65537 (0x10001)
Signed Extensions: (9)
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Key Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: Certificate Basic Constraints
Critical: True
Is CA: False
Path Length: 0
Name: Certificate Subject Key ID
Critical: False
Data:
cb:c7:a1:bc:07:0a:ba:f9:d6:55:85:ea:e4:13:3a:e6:
6d:1c:64:93
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:
f3:a8:ec:a1
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Name: Certificate Subject Alt Name
Critical: False
Names:
myipaserver.example.com
Name: Certificate Policies
Critical: False
Name: OID.1.3.6.1.4.1.11129.2.4.2
Critical: False
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
1b:9b:b3:c8:cb:c6:2b:1c:e9:f5:4b:6b:f2:2f:81:56:
55:00:33:bc:02:ba:e9:c4:58:76:b5:1b:05:ed:bc:d7:
94:4d:45:42:78:82:b1:77:5c:d6:c5:a3:92:e1:b6:5a:
d7:b1:b0:25:6b:c9:5c:bb:37:a8:f5:56:c4:1e:b2:cb:
a7:18:78:fc:a4:5c:a1:38:c0:39:bc:3c:7b:22:34:30:
32:02:07:12:15:16:38:c6:8d:c2:4c:e0:7d:b8:66:74:
84:44:23:eb:3f:8d:11:5e:92:77:cc:e0:ee:c4:59:12
Fingerprint (MD5):
a4:df:06:9a:a3:e1:61:93:40:cc:8e:ea:6d:2
Fingerprint (SHA1):
23:88:55:80:b7:6f:0f:d0:86:c0:4f:c3:c8:92:67:c3:
2019-05-20T11:13:56Z ERROR cert validation failed for "CN= myipaserver.example.com" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.)
2019-05-20T11:13:56Z ERROR Cannot connect to the server due to generic error: cannot connect to 'https://myipaserver.example.com/ipa/xml': [Errno -8179] (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.
2019-05-20T11:13:56Z ERROR Installation failed. Rolling back changes.
2019-05-20T11:13:56Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2019-05-20T11:13:56Z DEBUG Starting external process
2019-05-20T11:13:56Z DEBUG args=ipa-client-automount --uninstall --debug
2019-05-20T11:13:58Z DEBUG Process finished, return code=0
2019-05-20T11:13:58Z DEBUG stdout=Restoring configuration
On May 17, 2019 at 4:40:47 PM, Rob Crittenden (rcritten@redhat.com) wrote:
Petar Kozić via FreeIPA-users wrote:
Petar Kozić via FreeIPA-users wrote:
Hi folks, one question. These days I join my machine into IPA. Almost all machine have Ubuntu 18.04. I jointed about 10 machine in last two days. Today I tried to join Debian 8 jessie but I have problem.
All machine I join with same command:
ipa-client-install -U —domain=example.com http://example.com <
—hostname=clientexample.com http://clientexample.com <
—server=ipa.example.com http://ipa.example.com <
—realm=EXAMPLE.com
—password=XXXxxxXXX --principal=admin —mkhomedir
On Debian machine I got this error in process of join:
Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json' cert validation failed for “CN=ipa.example.com http://ipa.example.com
((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not
recognized.)
Cannot connect to the server due to generic error: cannot connect to 'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. Installation failed. Rolling back changes.
Some help?
We need more information on your CA chain configuration and what version's of IPA you're using.
For example, is your CA a typical IPA self-signed CA or did you sign it with another CA?
rob
Ipa version:
FreeIPA 4.7
CA isn’t self-signed. I generate Let’s encrypt SSL and make chain CA which is imported in IPA.
On all Ubuntu 18.04 works perfect but this Debian 8 jessie don’t support native from repo freeipa-client and maybe that is also problem. I found some repo for freeipa client
deb http://apt.numeezy.fr jessie main
deb-src http://apt.numeezy.fr jessie main
and I installed from there.
Assuming it picks the latest it means you have 4.6.4.
You might try installing the Let's Encrypt root CA's onto your client prior to running ipa-client-install.
Otherwise I think we'd need to see /var/log/ipaclient-install.log to see the CA chain being retrieved. Sounds like it is incomplete but unclear why.
rob
Petar Kozić via FreeIPA-users wrote:
Here is the log files. I just want to inform you that I have that problem now also on Ubuntu 14.40 and Debian 8. On Ubuntu ipa client version is 3.3, maybe problem is there.
In mean time I enrolled several more Ubuntu 18.04 instances without problem.
On this Debian 8 and Ubuntu 14.40 I just try with options —ca-cert-file which I copied from master but same error.
I have no visibility into what CA file you used but you're missing either the X3 subca or the X1 root.
You can get them from https://letsencrypt.org/certificates/
Look at the ca.crt you used and see how many certificates are in there. I'm assuming there is only one. You can try concatenating the X1 and X3 certs into that and things should work.
rob
@Rob, sorry for duplicate mail, I forget to do reply to all
No, there is X1 and X3. I have whole chain in ca.crt
Where you think that I can install this let’s encrypt root on client side, because on server I already have it in chain?
On IPA I installed on this way. https://blog.soholabs.org/lets-encrypt-and-the-freeipa-web-gui/
On May 20, 2019 at 3:28:50 PM, Rob Crittenden (rcritten@redhat.com) wrote:
Petar Kozić via FreeIPA-users wrote:
Here is the log files. I just want to inform you that I have that problem now also on Ubuntu 14.40 and Debian 8. On Ubuntu ipa client version is 3.3, maybe problem is there.
In mean time I enrolled several more Ubuntu 18.04 instances without problem.
On this Debian 8 and Ubuntu 14.40 I just try with options —ca-cert-file which I copied from master but same error.
I have no visibility into what CA file you used but you're missing either the X3 subca or the X1 root.
You can get them from https://letsencrypt.org/certificates/
Look at the ca.crt you used and see how many certificates are in there. I'm assuming there is only one. You can try concatenating the X1 and X3 certs into that and things should work.
rob
Petar Kozić via FreeIPA-users wrote:
@Rob, sorry for duplicate mail, I forget to do reply to all
No, there is X1 and X3. I have whole chain in ca.crt
Where you think that I can install this let’s encrypt root on client side, because on server I already have it in chain?
On IPA I installed on this way. https://blog.soholabs.org/lets-encrypt-and-the-freeipa-web-gui/
The older ipa-client-install don't handle cert chains well. You can try to add the roots to the global trust before running the installer via:
$ sudo cp ca.crt /usr/local/share/ca-certificates/ $ sudo update-ca-certificates
rob
On May 20, 2019 at 3:28:50 PM, Rob Crittenden (rcritten@redhat.com mailto:rcritten@redhat.com) wrote:
Petar Kozić via FreeIPA-users wrote:
Here is the log files. I just want to inform you that I have that problem now also on Ubuntu 14.40 and Debian 8. On Ubuntu ipa client version is 3.3, maybe problem is there.
In mean time I enrolled several more Ubuntu 18.04 instances without problem.
On this Debian 8 and Ubuntu 14.40 I just try with options —ca-cert-file which I copied from master but same error.
I have no visibility into what CA file you used but you're missing either the X3 subca or the X1 root.
You can get them from https://letsencrypt.org/certificates/
Look at the ca.crt you used and see how many certificates are in there. I'm assuming there is only one. You can try concatenating the X1 and X3 certs into that and things should work.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I just try that:
cp ca.crt /usr/local/share/ca-certificates/ update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... updates of cacerts keystore disabled. done.
Looks like update something, but again same error. In above command I copied ca.crt from IPA if you think on that. Thank you on your time.
On May 20, 2019 at 4:03:32 PM, Rob Crittenden (rcritten@redhat.com) wrote:
Petar Kozić via FreeIPA-users wrote:
@Rob, sorry for duplicate mail, I forget to do reply to all
No, there is X1 and X3. I have whole chain in ca.crt
Where you think that I can install this let’s encrypt root on client side, because on server I already have it in chain?
On IPA I installed on this way. https://blog.soholabs.org/lets-encrypt-and-the-freeipa-web-gui/
The older ipa-client-install don't handle cert chains well. You can try to add the roots to the global trust before running the installer via:
$ sudo cp ca.crt /usr/local/share/ca-certificates/ $ sudo update-ca-certificates
rob
On May 20, 2019 at 3:28:50 PM, Rob Crittenden (rcritten@redhat.com mailto:rcritten@redhat.com) wrote:
Petar Kozić via FreeIPA-users wrote:
Here is the log files. I just want to inform you that I have that problem now also on Ubuntu 14.40 and Debian 8. On Ubuntu ipa client version is 3.3, maybe problem is there.
In mean time I enrolled several more Ubuntu 18.04 instances without problem.
On this Debian 8 and Ubuntu 14.40 I just try with options
—ca-cert-file
which I copied from master but same error.
I have no visibility into what CA file you used but you're missing either the X3 subca or the X1 root.
You can get them from https://letsencrypt.org/certificates/
Look at the ca.crt you used and see how many certificates are in there. I'm assuming there is only one. You can try concatenating the X1 and X3 certs into that and things should work.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Petar Kozić wrote:
I just try that:
cp ca.crt /usr/local/share/ca-certificates/ update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... updates of cacerts keystore disabled. done.
Looks like update something, but again same error. In above command I copied ca.crt from IPA if you think on that. Thank you on your time.
That's about the extent of my Ubuntu knowledge.
It's hard to parse the output. Was that one file added or one certificate added? LE definitely has a chain.
You should be able to independently confirm that the trust is ok using something like curl:
$ curl https://ipa.example.com/ipa
If the connection fails then the right LE roots are not available on the system.
rob
On May 20, 2019 at 4:03:32 PM, Rob Crittenden (rcritten@redhat.com mailto:rcritten@redhat.com) wrote:
Petar Kozić via FreeIPA-users wrote:
@Rob, sorry for duplicate mail, I forget to do reply to all
No, there is X1 and X3. I have whole chain in ca.crt
Where you think that I can install this let’s encrypt root on client side, because on server I already have it in chain?
On IPA I installed on this way. https://blog.soholabs.org/lets-encrypt-and-the-freeipa-web-gui/
The older ipa-client-install don't handle cert chains well. You can try to add the roots to the global trust before running the installer via:
$ sudo cp ca.crt /usr/local/share/ca-certificates/ $ sudo update-ca-certificates
rob
On May 20, 2019 at 3:28:50 PM, Rob Crittenden (rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>) wrote:
Petar Kozić via FreeIPA-users wrote:
Here is the log files. I just want to inform you that I have that problem now also on Ubuntu 14.40 and Debian 8. On Ubuntu ipa client version is 3.3, maybe problem is there.
In mean time I enrolled several more Ubuntu 18.04 instances without problem.
On this Debian 8 and Ubuntu 14.40 I just try with options —ca-cert-file which I copied from master but same error.
I have no visibility into what CA file you used but you're missing either the X3 subca or the X1 root.
You can get them from https://letsencrypt.org/certificates/
Look at the ca.crt you used and see how many certificates are in there. I'm assuming there is only one. You can try concatenating the X1 and X3 certs into that and things should work.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thank you very much for everything. I tried curl and curl on https:// works, a get html response with whole body
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>IPA: Identity Policy Audit</title> <script type="text/javascript" src="../ui/js/libs/loader.js"></script> <script type="text/javascript"> var dojoConfig = { baseUrl: "../ui/js", has: { 'dojo-firebug': false, 'dojo-debug-messages': true }, parseOnLoad: false, async: true, packages: [ ………… …..
<div class="container-fluid"> <div class="row"> <div class="col-sm-12"> <div id="unauthorized-msg"> <noscript>
<h1>Unable to verify your Kerberos credentials</h1> <p> Please make sure that you have valid Kerberos tickets (obtainable via <strong>kinit</strong>), and that you have configured your browser correctly. </p>
<h2>Browser configuration</h2>
<div id="first-time"> <p> If this is your first time, please <a href="ssbrowser.html">configure your browser</a>. …………..
……………
I don’t have idea. Looks like I will update all this VPS to Ubuntu 18.04 because there everything works.
On May 20, 2019 at 4:23:56 PM, Rob Crittenden (rcritten@redhat.com) wrote:
Petar Kozić wrote:
I just try that:
cp ca.crt /usr/local/share/ca-certificates/ update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... updates of cacerts keystore disabled. done.
Looks like update something, but again same error. In above command I copied ca.crt from IPA if you think on that. Thank you on your time.
That's about the extent of my Ubuntu knowledge.
It's hard to parse the output. Was that one file added or one certificate added? LE definitely has a chain.
You should be able to independently confirm that the trust is ok using something like curl:
$ curl https://ipa.example.com/ipa
If the connection fails then the right LE roots are not available on the system.
rob
On May 20, 2019 at 4:03:32 PM, Rob Crittenden (rcritten@redhat.com mailto:rcritten@redhat.com) wrote:
Petar Kozić via FreeIPA-users wrote:
@Rob, sorry for duplicate mail, I forget to do reply to all
No, there is X1 and X3. I have whole chain in ca.crt
Where you think that I can install this let’s encrypt root on client side, because on server I already have it in chain?
On IPA I installed on this way. https://blog.soholabs.org/lets-encrypt-and-the-freeipa-web-gui/
The older ipa-client-install don't handle cert chains well. You can try to add the roots to the global trust before running the installer via:
$ sudo cp ca.crt /usr/local/share/ca-certificates/ $ sudo update-ca-certificates
rob
On May 20, 2019 at 3:28:50 PM, Rob Crittenden (rcritten@redhat.com
<mailto:rcritten@redhat.com mailto:rcritten@redhat.com>) wrote:
Petar Kozić via FreeIPA-users wrote:
Here is the log files. I just want to inform you that I have that problem now also on Ubuntu 14.40 and Debian 8. On Ubuntu ipa client version is 3.3, maybe problem is there.
In mean time I enrolled several more Ubuntu 18.04 instances without problem.
On this Debian 8 and Ubuntu 14.40 I just try with options
—ca-cert-file
which I copied from master but same error.
I have no visibility into what CA file you used but you're missing either the X3 subca or the X1 root.
You can get them from https://letsencrypt.org/certificates/
Look at the ca.crt you used and see how many certificates are in
there.
I'm assuming there is only one. You can try concatenating the X1 and
X3
certs into that and things should work.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org