Bug 1475711
Summary: | Issues in Enrolling FreeIPA Client on Ubuntu 14.04 with IPA Server | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | alka <alkamuralimolu> | ||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | ipa-qe <ipa-qe> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.3 | CC: | frenaud, pvoborni, rcritten, tscherf | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-07-31 08:05:10 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
alka
2017-07-27 08:14:09 UTC
It would be better to ask on freeipa-users.org list especially if it is not RHEL related. But while at it: Yes, most likely because of the 3rd party cert. Sharing full ipaclient-install.log would help to see what actions it did to try to fetch CA certs. Few questions: - Have you installed the 3rd party CA cert on the server using `ipa-cacert-manage install` ? - When installing the client was it unattended mode? If yes, try --force option. - If it was not unattended, did it ask you "Do you want to download the CA cert from .... (this is INSECURE)"? If yes, did you answer yes? last thing is to provide all CA certs by specifying them in option --ca-cert-file=CA_FILE Do not attempt to acquire the IPA CA certificate via automated means, instead use the CA certificate found locally in in CA_FILE. The CA_FILE must be an absolute path to a PEM formatted certificate file. The CA certificate found in CA_FILE is considered authoritative and will be installed without checking to see if it's valid for the IPA domain. The file needs to have both IPA CA cert and the external. Created attachment 1305744 [details]
client installation logs
Thanks for the update. >> Few questions: - Have you installed the 3rd party CA cert on the server using `ipa-cacert-manage install` ? Yes. I have installed the SSL cert using this command >> - When installing the client was it unattended mode? If yes, try --force option. No. I didn't go for unattended mode. >>- If it was not unattended, did it ask you "Do you want to download the CA cert from .... (this is INSECURE)"? If yes, did you answer yes? No. It didn't ask for any confirmation to trust for. >> --ca-cert-file=CA_FILE Do you mean I need to copy the /etc/ipa/ca.crt file on my IPA Server and use it as CA file for the client installation? I tried copying the /etc/ipa/ca.crt to my Ubuntu Client machine and included its path for ca-cert-file. However still the installation failed, giving out the same error. Hi, if you copy /etc/ipa/ca.crt from the server to the Ubuntu client into /etc/ipa/ca.crt, then run ipa-client-install without the ca-cert-file option, the installer will reuse the existing /etc/ipa/ca.crt file and it should succeed. Additional info" this issue happens because the client version is 3.3. See BZ 1457402. *** This bug has been marked as a duplicate of bug 1457402 *** |