IPA 4.1 cert validation failed ... ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)

Latest response

I have a new ipa server ulldap01.ccci.org runnin ipa-serverg 4.1.0-18.el7_1.3 on RHEL 7.1 and an ipa client ulrhnsat01.ccci.org with the same levels. The client is also a new install of Satellite 6. I am trying to set up ulrhnsat01 as a real-capsule with 'foreman-prepare-realm admin realm-capsule'. This fails with the following message repeated many times:

ipa: ERROR: cert validation failed for "CN=ulldap01.ccci.org,O=CCCI.ORG" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)

In attempting to debug the issue, I have run: 'ipa -vv -e debug=True user-show admin' on the server and client. The server runs correctly. The client gives a bunch of output followed by:

ipa: DEBUG: NSSConnection init ulldap01.ccci.org
ipa: DEBUG: Connecting: 10.10.11.2:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
----> certificate data <----
ipa: ERROR: cert validation failed for "CN=ulldap01.ccci.org,O=CCCI.ORG" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)
ipa: DEBUG: Destroyed connection context.rpcclient
ipa: ERROR: cannot connect to 'https://ulldap01.ccci.org/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.

[root@ulldap01 ~]# certutil -L -d /etc/pki/nssdb

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

CCCI.ORG IPA CA CT,C,C
[root@ulldap01 ~]#

[root@ulrhnsat01 ~]# certutil -L -d /etc/pki/nssdb

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

IPA Machine Certificate - ulrhnsat01.ccci.org u,u,u
IPA CA CT,C,C
[root@ulrhnsat01 ~]#

Where can I go from here?

Responses

Hello Tim,

IPA 4.1 uses /etc/ipa/nssdb instead of /etc/pki/nssdb. Try checking if the IPA CA certificate is in there.

If not, you can run the ipa-certupdate utility. That should fix the problem.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.