How to add third party certificates for HTTP/LDAP on Red Hat Enterprise Linux 5 & 6 IPA clients

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

Issue

When trying to enroll a Red Hat Enterprise Linux 5/6 IPA client with third party certificates, the install fails and you may get error messages that look like this:

* About to connect() to ipa-server.domain.net port 443 (#0)
* Trying 192.168.10.2... 
* Connected to ipa-server.domain.net (192.168.10.2) port 443 (#0) 
* Initializing NSS with certpath: sql:/etc/pki/nssdb 
* CAfile: /etc/ipa/ca.crt CApath: none 
* Certificate is signed by an untrusted issuer: 'CN=Intermediate Root CA,O=Domain,C=Name' 
* NSS error -8172 
* Expire cleared 
* Closing connection #0 libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates

Resolution

  • Note
    For Red Hat Enterprise Linux 5 you will need to edit the krb5.conf file to allow weak crypto.

    # vim /etc/krb5.conf
    ---------------------
    allow_weak_crypto = true
    
  • Copy /etc/ipa/ca.crt file from the Server to /etc/ipa/ca.crt on the Client.
    The contents will look something like this:

    -----BEGIN CERTIFICATE-----
    MIIDmjCCAoKgAwIBAgIBCzAhhgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBDT05T
    VU0uRVUuSU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G
    ..<skip>..
    EExb8+P50McpkG5I621zGYhc/Te2Pv+4huurh4a8Ie1PvmoWnbUcn3xHEsFyX/NO
    LTOXx8KAg/HRSNhuDqZ8OauXQYQ8HjiBh3LXEGlxwD9WNGbXxfVSYmu8nVhahhla
    URbovU0r8pAFXpCVDYw=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIFqjCCA5KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJCRTES
    MRIwEAYDVQQKDAlDb25zaWxpdW0xHTAbBgNVBAMMFENvbnNpbGl1bSBFVSBSb290
       ..<skip>..
    cSW58beiekG0mQbdWDaR3D75vEvUR8Lj5DP0Ig3I5BGCwB8DQItolEGN6bTPk2Ip
    wW1yBzH9qCiNkqHDnVM=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIIHzCCBgegAwIBAgIBEzANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJCRTES
     aWNlcyBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM8zfGxB5k/b
       ..<skip>..
    s/c4i/cAlF6MzgOI/whtLbCvO3dbOe4e8ZdFwzHXPQCEQRD7uMHggL+XT6/s2tYG
    p+9Y9kuoUM6HSMfxSTvbSZuFwQ==
    -----END CERTIFICATE-----
    
  • After the file is copied, try the client enrollment again.

Root Cause

The Red Hat Enterprise Linux 5/6 IPA clients only receive the self-signed certificate because they only use the single certificate stored in cn=CAcert,cn=ipa,cn=etc,$suffix.

More information can be found here.

Diagnostic Steps

  • Component
  • ipa

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments