Bug 1475711 - Issues in Enrolling FreeIPA Client on Ubuntu 14.04 with IPA Server
Issues in Enrolling FreeIPA Client on Ubuntu 14.04 with IPA Server
Status: CLOSED DUPLICATE of bug 1457402
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.3
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
ipa-qe
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-27 04:14 EDT by alka
Modified: 2017-07-31 04:21 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-31 04:05:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
client installation logs (35.04 KB, application/rtf)
2017-07-27 22:14 EDT, alka
no flags Details

  None (edit)
Description alka 2017-07-27 04:14:09 EDT
Description of problem:

I Cannot enrol and do the ipa-client-install on Ubuntu 14.04 to IPA Server (4.4). My IPA Server is having third party certificates for HTTP/LDAP. I have installed it using the suggestions in

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

Other version of Ubuntu like 16.04 is enrolled fine. 

Here is the error message that I get during the installation

----
cert validation failed for "CN=*.*.*,O=*.*,((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
Cannot connect to the server due to generic error: cannot connect to 'https://*.*.*.*/ipa/xml': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.
Installation failed. Rolling back changes.
certmonger failed to start: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
SSSD service could not be stopped
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
-----

Is it due to my third part cert? If so, please provide a suggestion so that I can enrol my Ubuntu Client to my IPA Server.
Comment 2 Petr Vobornik 2017-07-27 12:05:38 EDT
It would be better to ask on freeipa-users@lists.fedorahosted.org list especially if it is not RHEL related.

But while at it:

Yes, most likely because of the 3rd party cert. Sharing full ipaclient-install.log would help to see what actions it did to try to fetch CA certs.

Few questions:
 - Have you installed the 3rd party CA cert on the server using `ipa-cacert-manage  install` ?
 - When installing the client was it unattended mode? If yes, try --force option.
 - If it was not unattended, did it ask you "Do you want to download the CA cert from .... (this is INSECURE)"? If yes, did you answer yes?

last thing is to provide all CA certs by specifying them in option 

--ca-cert-file=CA_FILE
              Do not attempt to acquire the IPA CA certificate via automated means, instead use the CA certificate found locally in in CA_FILE.  The CA_FILE must be an absolute path to a PEM formatted certificate file. The CA certificate found in CA_FILE is considered authoritative and will be installed without checking to see if it's valid for the IPA domain.

The file needs to have both IPA CA cert and the external.
Comment 3 alka 2017-07-27 22:14 EDT
Created attachment 1305744 [details]
client installation logs
Comment 4 alka 2017-07-28 02:09:34 EDT
Thanks for the update.

>> Few questions:
 - Have you installed the 3rd party CA cert on the server using `ipa-cacert-manage  install` ?

Yes. I have installed the SSL cert using this command

>> - When installing the client was it unattended mode? If yes, try --force option.
No. I didn't go for unattended mode. 

>>- If it was not unattended, did it ask you "Do you want to download the CA cert from .... (this is INSECURE)"? If yes, did you answer yes?

No. It didn't ask for any confirmation to trust for.


>> --ca-cert-file=CA_FILE

Do you mean I need to copy the /etc/ipa/ca.crt file on my IPA Server and use it as CA file for the client installation?
Comment 5 alka 2017-07-28 05:17:41 EDT
I tried copying the /etc/ipa/ca.crt to my Ubuntu Client machine and included its path for ca-cert-file. However still the installation failed, giving out the same error.
Comment 6 Florence Blanc-Renaud 2017-07-31 04:01:08 EDT
Hi,

if you copy /etc/ipa/ca.crt from the server to the Ubuntu client into /etc/ipa/ca.crt, then run ipa-client-install without the ca-cert-file option, the installer will reuse the existing /etc/ipa/ca.crt file and it should succeed.
Comment 7 Florence Blanc-Renaud 2017-07-31 04:05:10 EDT
Additional info" this issue happens because the client version is 3.3. See BZ 1457402.

*** This bug has been marked as a duplicate of bug 1457402 ***

Note You need to log in before you can comment on or make changes to this bug.