I looked through the logs on the server and i see the below error in the apache error log when i try to register a client:
[Mon Dec 08 12:20:38 2014] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate I ran ipa-getcert list and everything seems ok (nothing expired) but i'm not sure where to troubleshoot from here. On Fri, Dec 5, 2014 at 7:51 PM, Megan . <[email protected]> wrote: > It failed again. > > > [root@cache2-uat ~]# certutil -L -d sql:/etc/pki/nssdb > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > [root@cache2-uat ~]# > > Not sure if its related, but on the directory server in the apache > error.log I see the below every time a client tries to register: > > [Sat Dec 06 00:48:35 2014] [error] SSL Library Error: -12271 SSL > client cannot verify your certificate > > On the directory server i ran ipa-getcert list and the certs seem ok. > > > > On Fri, Dec 5, 2014 at 5:10 PM, Rob Crittenden <[email protected]> wrote: >> Megan . wrote: >>> Sorry for being unclear. It still fails. Same error. >> >> Hmm, strange. Try being explicit about sql: >> >> # certutil -L -d sql:/etc/pki/nssdb >> >> And if there is a CA cert there, delete it. >> >> rob >> >>> >>> On Dec 5, 2014 4:39 PM, "Rob Crittenden" <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Megan . wrote: >>> > Thanks. >>> > >>> > I did have an issue last week where i tried to do the client install >>> > and it failed because of a firewall issue. Networks has it opened >>> > now. I deleted ca.crt before trying again. There doesn't seem to be >>> > a certificate in /etc/pki/nssdb for it. >>> > >>> > >>> > >>> > [root@data2-uat ipa]# certutil -L -d /etc/pki/nssdb >>> > >>> > >>> > Certificate Nickname Trust >>> Attributes >>> > >>> > >>> SSL,S/MIME,JAR/XPI >>> > >>> > >>> > [root@data2-uat ipa]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb >>> > >>> > certutil: could not find certificate named "IPA CA": >>> > SEC_ERROR_BAD_DATABASE: security library: bad database. >>> > >>> > [root@data2-uat ipa]# ls >>> > >>> > [root@data2-uat ipa]# pwd >>> > >>> > /etc/ipa >>> > >>> > [root@data2-uat ipa]# ls -al >>> > >>> > total 16 >>> > >>> > drwxr-xr-x. 2 root root 4096 Dec 5 21:16 . >>> > >>> > drwxr-xr-x. 82 root root 12288 Dec 5 21:16 .. >>> > >>> > [root@data2-uat ipa]# >>> >>> So trying to install the client again fails or succeeds now? >>> >>> rob >>> >>> > >>> > On Fri, Dec 5, 2014 at 4:03 PM, Rob Crittenden >>> <[email protected] <mailto:[email protected]>> wrote: >>> >> Rob Crittenden wrote: >>> >>> Megan . wrote: >>> >>>> Good Day! >>> >>>> >>> >>>> I am getting an error when i register new clients. >>> >>>> >>> >>>> libcurl failed to execute the HTTP POST transaction. SSL >>> connect error >>> >>>> >>> >>>> I can't find anything useful not the internet about the error. Can >>> >>>> someone help me troubleshoot? >>> >>>> >>> >>>> CentOS 6.6 x64 >>> >>>> ipa-client-3.0.0-42.el6.centos.x86_64 >>> >>>> ipa-server-3.0.0-42.el6.centos.x86_64 >>> >>>> curl-7.19.7-40.el6_6.1.x86_64 >>> >>> >>> >>> Do you have NSS_DEFAULT_DB_TYPE set to sql? I don't know that >>> we've done >>> >>> any testing on the client with this set. >>> >> >>> >> Never mind, that's not it. The problem is: >>> >> >>> >> * NSS error -8054 >>> >> >>> >> Which is SEC_ERROR_REUSED_ISSUER_AND_SERIAL >>> >> >>> >> So I'd do this: >>> >> >>> >> # rm /etc/ipa/ca.crt >>> >> >>> >> You may also want to ensure that the IPA CA certificate isn't in >>> >> /etc/pki/nssdb: >>> >> >>> >> # certutil -L -d /etc/pki/nssdb >>> >> >>> >> And then perhaps >>> >> >>> >> # certutil -D -n 'IPA CA' -d /etc/pki/nssdb >>> >> >>> >> rob >>> >> >>> >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
