Bug 1637717
| Summary: | RFE: Validation and better error messages when novajoin fails because of SSL errors | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Rob Crittenden <rcritten> | |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.6 | CC: | alee, cheimes, dpal, hrybacki, ndehadra, pkesavar, pvoborni, rcritten, ssidhaye, tscherf | |
| Target Milestone: | rc | Keywords: | FutureFeature | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.6.5-1.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1636634 | |||
| : | 1637719 1658316 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-06 13:09:16 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1636634 | |||
| Bug Blocks: | 1637719, 1658316 | |||
|
Comment 3
Rob Crittenden
2018-10-10 14:55:57 UTC
Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/7cf7a7451b5fd2f2fe08086e0a4695e1754398b6 Build used for Verification: [root@qe-blade-09 ~]# rpm -qa ipa-* ipa-client-common-4.6.5-9.el7.noarch ipa-client-4.6.5-9.el7.x86_64 ipa-server-4.6.5-9.el7.x86_64 ipa-server-dns-4.6.5-9.el7.noarch ipa-server-trust-ad-4.6.5-9.el7.x86_64 ipa-common-4.6.5-9.el7.noarch ipa-server-common-4.6.5-9.el7.noarch Steps: firewalld inactive ca.crt present [root@cloud-qe-17 ~]# ipa-join -s srv1.testrelm.test -b dc=testrelm,dc=test -w Secret123 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: WARN: extracted cert file is not present. tlsmc_convert: WARN: extracted key file is not present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. Bind failed: Inappropriate authentication firewalld inactive and valid ca.crt present but not correct (otherwise valid but not correct for the remote IPA CA ) [root@cloud-qe-17 ~]# ipa-join -s srv1.testrelm.test -b dc=testrelm,dc=test -w Secret123 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: WARN: extracted cert file is not present. tlsmc_convert: WARN: extracted key file is not present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. Bind failed: Inappropriate authentication firewalld inactive and ca.crt not present [root@cloud-qe-17 ~]# ipa-join -s srv1.testrelm.test -b dc=testrelm,dc=test -w Secret123 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: WARN: extracted cert file is not present. tlsmc_convert: WARN: extracted key file is not present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. TLS: could not load verify locations (file:`/etc/ipa/ca.crt',dir:`/tmp/openldap-tlsmc-certs--F9DABC43A23B9CE22493AC9A927EF93465BDE8A163F7DC3983C922AFFA30A5C3/cacerts'). TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:175 TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:182 TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:258 Bind failed: Can't contact LDAP server [root@cloud-qe-17 ~]# firewalld active and ca.crt present but not the correct (otherwise valid but not correct for the remote IPA CA ) [root@cloud-qe-17 ~]# ipa-join -s srv1.testrelm.test -b dc=testrelm,dc=test -w Secret123 Bind failed: Can't contact LDAP server [root@cloud-qe-17 ~]# firewalld active and valid, correct ca.crt present [root@cloud-qe-17 ~]# ipa-join -s srv1.testrelm.test -b dc=testrelm,dc=test -w Secret123 Bind failed: Can't contact LDAP server [root@cloud-qe-17 ~]# Based on above observations, marking the BZ verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2241 |