Discussion:
[Freeipa-users] Error deleting IPA host: SSL peer cannot verify your certificate
Chris Herdt
2017-04-04 23:17:28 UTC
Permalink
Although I had previously been using a self-signed certificate, I
recently started using a cert signed by InCommon CA on my FreeIPA
master (still on IPA 3.0.0 at this time).

I added the certificate and intermediate certificates to
/etc/ssl/certs and the certificate database in
/etc/dirsrc/slapd-EXAMPLE-COM. /etc/httpd/conf.d/nss.conf is pointing
to the new certificate for NSSNickname.

I can log into the web UI, but when I attempt to delete a host I get
the following error:

Operations Error
Some entries were not deleted
Show details

Under "Show details":
cannot connect to
'https://freeipa.example.com:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.

Likewise, if I attempt to delete a host using the CLI I get an error message:

# ipa host-del host-01.example.com
ipa: ERROR: cert validation failed for
"CN=freeipa.example.com,OU=Example Unit,O=Example Org,L=Example
City,ST=MN,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
issuer has been marked as not trusted by the user.)
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://freeipa.example.com/ipa/xml

If I enable the verbose flag -vv, I see that it is making an HTTP POST
request to https://freeipa.example.com/ipa/xml.

It looks like Firefox on my local client trusts the certificate, but
that the server itself does not trust its own certificate when
connecting to itself. Can anyone advise on how I can address this
issue?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Florence Blanc-Renaud
2017-04-05 06:35:38 UTC
Permalink
Post by Chris Herdt
Although I had previously been using a self-signed certificate, I
recently started using a cert signed by InCommon CA on my FreeIPA
master (still on IPA 3.0.0 at this time).
I added the certificate and intermediate certificates to
/etc/ssl/certs and the certificate database in
/etc/dirsrc/slapd-EXAMPLE-COM. /etc/httpd/conf.d/nss.conf is pointing
to the new certificate for NSSNickname.
I can log into the web UI, but when I attempt to delete a host I get
Operations Error
Some entries were not deleted
Show details
cannot connect to
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
# ipa host-del host-01.example.com
ipa: ERROR: cert validation failed for
"CN=freeipa.example.com,OU=Example Unit,O=Example Org,L=Example
City,ST=MN,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
issuer has been marked as not trusted by the user.)
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://freeipa.example.com/ipa/xml
If I enable the verbose flag -vv, I see that it is making an HTTP POST
request to https://freeipa.example.com/ipa/xml.
It looks like Firefox on my local client trusts the certificate, but
that the server itself does not trust its own certificate when
connecting to itself. Can anyone advise on how I can address this
issue?
Hi,

the certificate and intermediate certificates need to be added to all
the NSS databases used by FreeIPA. You can find instructions in the page
"Using 3rd part certificates for HTTP/LDAP > Procedure in IPA < 4.1" [1].

HTH,
Flo

[1]
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...