#6686 ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted) after adding externally signed CA cert
Closed: fixed 7 years ago Opened 7 years ago by pvoborni.

  1. install ipa-server as self-signed CA
  2. issue CA cert signed by
    a) dogtag CA
    b) AD CA
  3. use "Self-signed CA certificate ? externally-signed CA certificate" method for both types (a and b) of CA cert.
    https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html

  4. Run ipa-certupdate

  5. Attempt to install replica

It fails in step "[3/5]: Importing RA Key" with:

    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key
    cli.fetch_key('ra/ipaCert')
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 97, in fetch_key
    params={'type': 'kem', 'value': request})
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get
    return request('get', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)

2017-01-26T16:49:04Z DEBUG The ipa-replica-install command failed, exception: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
2017-01-26T16:49:04Z ERROR [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

Workflow where first IPA server is installed with --external-ca right away works for CA cert issued by DogTag CA. We need to retest and fix issuing with AD CA - bug 1322963 or upstream #5799


Metadata Update from @pvoborni:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.5

7 years ago

master:
* 16dac02 added ssl verification using
IPA trust anchor
ipa-4-4:
* f784e33 added ssl verification using
IPA trust anchor

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue close_status updated to: None

7 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset

7 years ago

Metadata Update from @jcholast:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Login to comment on this ticket.

Metadata