| Error 60 in Landscape: a failing certificate chain | ||
|---|---|---|
 | Part I. Miscellaneous subjects (and those still to be sorted) |  |
| Error 60 in Landscape: a failing certificate chain | ||
|---|---|---|
| | Part I. Miscellaneous subjects (and those still to be sorted) | |
Table of Contents
We have a Landscape server to keep our Ubuntu PC's wellbehaved. When they boot for the first time, they are supposed to apply for a Landscape membership with:
landscape-config --import=https://landscapehost.rug.nl/config/bootstrap.conf -t $(hostname -f) --script-users=me,you,everybody --silent --registration-password=verysecretofcourse
But this fails with:
Fetching configuration from https://landscapehost.rug.nl/config/bootstrap.conf...
Couldn't download configuration from https://landscapehost.rug.nl/config/bootstrap.conf: Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Now, when we fetch the bootstrap.conf with a browser, it doesn't complain.
Wget complains about the certificate on some machines, but not on all, most notably not on the client we are trying to connect to Landscape.
But ssl reports a self-signed certificate in the chain:
openssl s_client -host landscapehost.rug.nl -port 443
CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=NL/O=Rijksuniversiteit Groningen/OU=CITNWD/CN=landscapehost.rug.nl
i:/C=NL/O=TERENA/CN=TERENA SSL CA
1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
3 s:/C=NL/O=TERENA/CN=TERENA SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
<snip>
The issuer of this certificate is the same as the signee. We'd expect that only at the top of the chain. |
| |  | |
| Making Red Hat's SPICE work on Ubuntu Karmic |  | The solution |