Bug 1475711

Summary: Issues in Enrolling FreeIPA Client on Ubuntu 14.04 with IPA Server
Product: Red Hat Enterprise Linux 7 Reporter: alka <alkamuralimolu>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.3CC: frenaud, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-31 08:05:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
client installation logs none

Description alka 2017-07-27 08:14:09 UTC 
Description of problem:

I Cannot enrol and do the ipa-client-install on Ubuntu 14.04 to IPA Server (4.4). My IPA Server is having third party certificates for HTTP/LDAP. I have installed it using the suggestions in

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

Other version of Ubuntu like 16.04 is enrolled fine. 

Here is the error message that I get during the installation

----
cert validation failed for "CN=*.*.*,O=*.*,((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
Cannot connect to the server due to generic error: cannot connect to 'https://*.*.*.*/ipa/xml': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.
Installation failed. Rolling back changes.
certmonger failed to start: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
SSSD service could not be stopped
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
-----

Is it due to my third part cert? If so, please provide a suggestion so that I can enrol my Ubuntu Client to my IPA Server.
Comment 2 Petr Vobornik 2017-07-27 16:05:38 UTC 
It would be better to ask on freeipa-users.org list especially if it is not RHEL related.

But while at it:

Yes, most likely because of the 3rd party cert. Sharing full ipaclient-install.log would help to see what actions it did to try to fetch CA certs.

Few questions:
 - Have you installed the 3rd party CA cert on the server using `ipa-cacert-manage  install` ?
 - When installing the client was it unattended mode? If yes, try --force option.
 - If it was not unattended, did it ask you "Do you want to download the CA cert from .... (this is INSECURE)"? If yes, did you answer yes?

last thing is to provide all CA certs by specifying them in option 

--ca-cert-file=CA_FILE
              Do not attempt to acquire the IPA CA certificate via automated means, instead use the CA certificate found locally in in CA_FILE.  The CA_FILE must be an absolute path to a PEM formatted certificate file. The CA certificate found in CA_FILE is considered authoritative and will be installed without checking to see if it's valid for the IPA domain.

The file needs to have both IPA CA cert and the external.
Comment 3 alka 2017-07-28 02:14:21 UTC 
Created attachment 1305744 [details]
client installation logs
Comment 4 alka 2017-07-28 06:09:34 UTC 
Thanks for the update.

>> Few questions:
 - Have you installed the 3rd party CA cert on the server using `ipa-cacert-manage  install` ?

Yes. I have installed the SSL cert using this command

>> - When installing the client was it unattended mode? If yes, try --force option.
No. I didn't go for unattended mode. 

>>- If it was not unattended, did it ask you "Do you want to download the CA cert from .... (this is INSECURE)"? If yes, did you answer yes?

No. It didn't ask for any confirmation to trust for.


>> --ca-cert-file=CA_FILE

Do you mean I need to copy the /etc/ipa/ca.crt file on my IPA Server and use it as CA file for the client installation?
Comment 5 alka 2017-07-28 09:17:41 UTC 
I tried copying the /etc/ipa/ca.crt to my Ubuntu Client machine and included its path for ca-cert-file. However still the installation failed, giving out the same error.
Comment 6 Florence Blanc-Renaud 2017-07-31 08:01:08 UTC 
Hi,

if you copy /etc/ipa/ca.crt from the server to the Ubuntu client into /etc/ipa/ca.crt, then run ipa-client-install without the ca-cert-file option, the installer will reuse the existing /etc/ipa/ca.crt file and it should succeed.
Comment 7 Florence Blanc-Renaud 2017-07-31 08:05:10 UTC 
Additional info" this issue happens because the client version is 3.3. See BZ 1457402.

*** This bug has been marked as a duplicate of bug 1457402 ***