Here is the log files. I just want to inform you that I have that problem
now also on Ubuntu 14.40 and Debian 8.
On Ubuntu ipa client version is 3.3, maybe problem is there.
In mean time I enrolled several more Ubuntu 18.04 instances without
problem.
On this Debian 8 and Ubuntu 14.40 I just try with options —ca-cert-file
which I copied from master but same error.
Thank you
Petar
2019-05-20T11:13:47Z DEBUG [IPA Discovery]
2019-05-20T11:13:47Z DEBUG Starting IPA discovery with
domain=example.com,
servers=['myipaserver.example.com'],
hostname=myclient.example.net
2019-05-20T11:13:47Z DEBUG Server and domain forced
2019-05-20T11:13:47Z DEBUG [Kerberos realm search]
2019-05-20T11:13:47Z DEBUG Search DNS for TXT record of _
kerberos.example.com
2019-05-20T11:13:47Z DEBUG DNS record not found: NXDOMAIN
2019-05-20T11:13:47Z DEBUG [LDAP server check]
2019-05-20T11:13:47Z DEBUG Verifying that
myipaserver.example.com (realm
None) is an IPA server
2019-05-20T11:13:47Z DEBUG Init LDAP connection to:
myipaserver.example.com
2019-05-20T11:13:48Z DEBUG Search LDAP server for IPA base DN
2019-05-20T11:13:49Z DEBUG Check if naming context 'dc=example,dc=com' is
for IPA
2019-05-20T11:13:49Z DEBUG Naming context 'dc=example,dc=com' is a valid
IPA context
2019-05-20T11:13:49Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=example,dc=com (sub)
2019-05-20T11:13:49Z DEBUG Found:
cn=example.com
,cn=kerberos,dc=example,dc=com
2019-05-20T11:13:49Z DEBUG Discovery result: Success; server=
myipaserver.example.com,
domain=example.com, kdc=None,
basedn=dc=example,dc=com
2019-05-20T11:13:49Z DEBUG Validated servers:
myipaserver.example.com
2019-05-20T11:13:49Z DEBUG will use discovered domain:
example.com
2019-05-20T11:13:49Z DEBUG Using servers from command line, disabling DNS
discovery
2019-05-20T11:13:49Z DEBUG will use provided server:
myipaserver.example.com
2019-05-20T11:13:49Z DEBUG will use discovered realm:
example.com
2019-05-20T11:13:49Z DEBUG will use discovered basedn: dc=example,dc=com
2019-05-20T11:13:49Z INFO Hostname:
myclient.example.net
2019-05-20T11:13:49Z DEBUG Hostname source: Provided as option
2019-05-20T11:13:49Z INFO Realm:
example.com
2019-05-20T11:13:49Z DEBUG Realm source: Discovered from LDAP DNS records
in
myipaserver.example.com
2019-05-20T11:13:49Z INFO DNS Domain:
example.com
2019-05-20T11:13:49Z DEBUG DNS Domain source: Forced
2019-05-20T11:13:49Z INFO IPA Server:
myipaserver.example.com
2019-05-20T11:13:49Z DEBUG IPA Server source: Provided as option
2019-05-20T11:13:49Z INFO BaseDN: dc=example,dc=com
2019-05-20T11:13:49Z DEBUG BaseDN source: From IPA server ldap://
myipaserver.example.com:389
2019-05-20T11:13:49Z DEBUG Starting external process
2019-05-20T11:13:49Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab
-r
example.com
2019-05-20T11:13:49Z DEBUG Process finished, return code=5
2019-05-20T11:13:49Z DEBUG stdout=
2019-05-20T11:13:49Z DEBUG stderr=realm not found
2019-05-20T11:13:49Z DEBUG Starting external process
2019-05-20T11:13:49Z DEBUG args=/bin/hostname
myclient.example.net
2019-05-20T11:13:49Z DEBUG Process finished, return code=0
2019-05-20T11:13:49Z DEBUG stdout=
2019-05-20T11:13:49Z DEBUG stderr=
2019-05-20T11:13:49Z DEBUG Backing up system configuration file
'/etc/hostname'
2019-05-20T11:13:49Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-05-20T11:13:49Z DEBUG Saving StateFile to
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2019-05-20T11:13:49Z INFO Synchronizing time with KDC...
2019-05-20T11:13:49Z DEBUG Search DNS for SRV record of _ntp._
udp.example.com
2019-05-20T11:13:50Z DEBUG DNS record not found: NXDOMAIN
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v
myipaserver.example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=1
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v
myipaserver.example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=1
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v
myipaserver.example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=1
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z WARNING Unable to sync time with IPA NTP server,
assuming the time is in sync. Please check that 123 UDP port is opened.
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=keyctl get_persistent @s 0
2019-05-20T11:13:50Z DEBUG Process finished, return code=2
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=Unknown command
2019-05-20T11:13:50Z DEBUG Writing Kerberos configuration to /tmp/tmpJH6hjP:
2019-05-20T11:13:50Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm =
example.com
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
example.com = {
kdc = myipaserver.example.com:88
master_kdc = myipaserver.example.com:88
admin_server = myipaserver.example.com:749
default_domain =
example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com =
example.com
example.com =
example.com
.clientexample.com =
example.com
clientexample.com =
example.com
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=kinit admin(a)example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=0
2019-05-20T11:13:50Z DEBUG stdout=Password for admin(a)example.com:
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z DEBUG trying to retrieve CA cert from file /tmp/ca.crt
2019-05-20T11:13:50Z DEBUG CA cert provided by user, use it!
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ipa-join -s
myipaserver.example.com -b dc=example,dc=com -h
myclient.example.net -f
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=
2019-05-20T11:13:54Z DEBUG stderr=Keytab successfully retrieved and stored
in: /etc/krb5.keytab
Certificate subject base is:
O=example.com
2019-05-20T11:13:54Z INFO Enrolled in IPA realm
example.com
2019-05-20T11:13:54Z DEBUG Starting external process
2019-05-20T11:13:54Z DEBUG args=kdestroy
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=
2019-05-20T11:13:54Z DEBUG stderr=
2019-05-20T11:13:54Z DEBUG Starting external process
2019-05-20T11:13:54Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/
myclient.example.net(a)example.com
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=
2019-05-20T11:13:54Z DEBUG stderr=
2019-05-20T11:13:54Z DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
2019-05-20T11:13:54Z DEBUG -> Not backing up - '/etc/ipa/default.conf'
doesn't exist
2019-05-20T11:13:54Z INFO Created /etc/ipa/default.conf
2019-05-20T11:13:54Z DEBUG importing all plugin modules in
'/usr/lib/python2.7/dist-packages/ipalib/plugins'...
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/aci.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/automember.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/automount.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/baseldap.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/batch.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/config.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/delegation.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/dns.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/group.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacrule.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvc.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvcgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/hbactest.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/host.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/hostgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/idrange.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/internal.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/kerberos.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/krbtpolicy.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/migration.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/misc.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/netgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/passwd.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/permission.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/ping.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/pkinit.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/privilege.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/pwpolicy.py'
2019-05-20T11:13:54Z DEBUG Starting external process
2019-05-20T11:13:54Z DEBUG args=klist -V
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=Kerberos 5 version 1.12
2019-05-20T11:13:54Z DEBUG stderr=
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/realmdomains.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/role.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/selfservice.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/selinuxusermap.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/service.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmd.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmdgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/sudorule.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/trust.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/user.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/virtual.py'
2019-05-20T11:13:54Z DEBUG importing plugin module
'/usr/lib/python2.7/dist-packages/ipalib/plugins/xmlclient.py'
2019-05-20T11:13:55Z DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2019-05-20T11:13:55Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf'
doesn't exist
2019-05-20T11:13:55Z INFO New SSSD config will be created
2019-05-20T11:13:55Z INFO Configured /etc/sssd/sssd.conf
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=/usr/bin/certutil -A -d sql:/etc/pki/nssdb
-n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2019-05-20T11:13:55Z DEBUG Process finished, return code=0
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=
2019-05-20T11:13:55Z DEBUG Backing up system configuration file
'/etc/krb5.conf'
2019-05-20T11:13:55Z DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=keyctl get_persistent @s 0
2019-05-20T11:13:55Z DEBUG Process finished, return code=2
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=Unknown command
2019-05-20T11:13:55Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
2019-05-20T11:13:55Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm =
example.com
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
example.com = {
kdc = myipaserver.example.com:88
master_kdc = myipaserver.example.com:88
admin_server = myipaserver.example.com:749
default_domain =
example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com =
example.com
example.com =
example.com
.clientexample.com =
example.com
clientexample.com =
example.com
2019-05-20T11:13:55Z INFO Configured /etc/krb5.conf for IPA realm
example.com
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/myclient.example.net@example.com
2019-05-20T11:13:55Z DEBUG Process finished, return code=1
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=keyctl_search: Required key not available
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=keyctl search @s user
ipa_session_cookie:host/myclient.example.net@example.com
2019-05-20T11:13:55Z DEBUG Process finished, return code=1
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=keyctl_search: Required key not available
2019-05-20T11:13:55Z DEBUG failed to find session_cookie in persistent
storage for principal 'host/myclient.example.net(a)example.com'
2019-05-20T11:13:56Z DEBUG trying
https://myipaserver.example.com/ipa/xml
2019-05-20T11:13:56Z DEBUG Created connection context.xmlclient
2019-05-20T11:13:56Z DEBUG Try RPC connection
2019-05-20T11:13:56Z DEBUG Forwarding 'ping' to server '
https://myipaserver.example.com/ipa/xml'
2019-05-20T11:13:56Z DEBUG NSSConnection init
myipaserver.example.com
2019-05-20T11:13:56Z DEBUG Connecting: 94.130.154.230:0
2019-05-20T11:13:56Z DEBUG auth_certificate_callback: check_sig=True
is_server=False
Data:
Version: 3 (0x2)
Serial Number: 337206521890680437858189420391339302183775
(0x3def5fdcb91c7146fc7d3cb8c096bd5e35f)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Validity:
Not Before: Fri Apr 05 07:19:18 2019 UTC
Not After : Thu Jul 04 07:19:18 2019 UTC
Subject:
CN=myipaserver.example.com
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
b4:68:c6:c8:b4:4f:df:50:5a:f0:00:4b:ea:09:9d:77:
1c:20:20:b6:ce:d7:64:24:c8:ec:65:ad:69:de:a1:ea:
b4:a1:d6:4e:46:88:d5:e5:ea:e6:9c:70:d8:8a:00:7e:
cd:c0:0f:2e:e7:e5:1f:3e:72:00:81:ab:b8:58:90:89:
f6:81:ee:6a:87:f4:85:34:32:46:5f:0e:45:5c:05:69
Exponent: 65537 (0x10001)
Signed Extensions: (9)
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Key Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: Certificate Basic Constraints
Critical: True
Is CA: False
Path Length: 0
Name: Certificate Subject Key ID
Critical: False
Data:
cb:c7:a1:bc:07:0a:ba:f9:d6:55:85:ea:e4:13:3a:e6:
6d:1c:64:93
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:
f3:a8:ec:a1
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Name: Certificate Subject Alt Name
Critical: False
Names:
myipaserver.example.com
Name: Certificate Policies
Critical: False
Name: OID.1.3.6.1.4.1.11129.2.4.2
Critical: False
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
1b:9b:b3:c8:cb:c6:2b:1c:e9:f5:4b:6b:f2:2f:81:56:
55:00:33:bc:02:ba:e9:c4:58:76:b5:1b:05:ed:bc:d7:
94:4d:45:42:78:82:b1:77:5c:d6:c5:a3:92:e1:b6:5a:
d7:b1:b0:25:6b:c9:5c:bb:37:a8:f5:56:c4:1e:b2:cb:
a7:18:78:fc:a4:5c:a1:38:c0:39:bc:3c:7b:22:34:30:
32:02:07:12:15:16:38:c6:8d:c2:4c:e0:7d:b8:66:74:
84:44:23:eb:3f:8d:11:5e:92:77:cc:e0:ee:c4:59:12
Fingerprint (MD5):
a4:df:06:9a:a3:e1:61:93:40:cc:8e:ea:6d:2
Fingerprint (SHA1):
23:88:55:80:b7:6f:0f:d0:86:c0:4f:c3:c8:92:67:c3:
2019-05-20T11:13:56Z ERROR cert validation failed for "CN=
myipaserver.example.com" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate
issuer is not recognized.)
2019-05-20T11:13:56Z ERROR Cannot connect to the server due to generic
error: cannot connect to 'https://myipaserver.example.com/ipa/xml': [Errno
-8179] (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not
recognized.
2019-05-20T11:13:56Z ERROR Installation failed. Rolling back changes.
2019-05-20T11:13:56Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2019-05-20T11:13:56Z DEBUG Starting external process
2019-05-20T11:13:56Z DEBUG args=ipa-client-automount --uninstall --debug
2019-05-20T11:13:58Z DEBUG Process finished, return code=0
2019-05-20T11:13:58Z DEBUG stdout=Restoring configuration
On May 17, 2019 at 4:40:47 PM, Rob Crittenden (rcritten(a)redhat.com) wrote:
Petar Kozić via FreeIPA-users wrote:
> Petar Kozić via FreeIPA-users wrote:
> > Hi folks,
> > one question.
> > These days I join my machine into IPA. Almost all machine have Ubuntu
> > 18.04. I jointed about 10 machine in last two days. Today I tried to
> > join Debian 8 jessie but I have problem.
> >
> > All machine I join with same command:
> >
> > ipa-client-install -U —domain=example.com <
http://example.com> <
http://example.com>
> > —hostname=clientexample.com <
http://clientexample.com>
<
http://clientexample.com>
> > —server=ipa.example.com <
http://ipa.example.com> <
http://ipa.example.com>
> —realm=EXAMPLE.com
> > —password=XXXxxxXXX --principal=admin —mkhomedir
> >
> > On Debian machine I got this error in process of join:
> >
> > Forwarding 'ping' to json server
'https://ipa.example.com/ipa/json'
> > cert validation failed for “CN=ipa.example.com <
http://ipa.example.com>
<
http://ipa.example.com>"
> > ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is
not
recognized.)
> > Cannot connect to the server due to generic error: cannot
connect to
> > 'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER)
Peer's
> > Certificate issuer is not recognized.
> > Installation failed. Rolling back changes.
> >
> > Some help?
>
> We need more information on your CA chain configuration and what
> version's of IPA you're using.
>
> For example, is your CA a typical IPA self-signed CA or did you sign it
> with another CA?
>
> rob
Ipa version:
FreeIPA 4.7
CA isn’t self-signed. I generate Let’s encrypt SSL and make chain CA
which is imported in IPA.
On all Ubuntu 18.04 works perfect but this Debian 8 jessie don’t support
native from repo freeipa-client and maybe that is also problem. I found
some repo for freeipa client
deb
http://apt.numeezy.fr jessie main
deb-src
http://apt.numeezy.fr jessie main
and I installed from there.
Assuming it picks the latest it means you have 4.6.4.
You might try installing the Let's Encrypt root CA's onto your client
prior to running ipa-client-install.
Otherwise I think we'd need to see /var/log/ipaclient-install.log to see
the CA chain being retrieved. Sounds like it is incomplete but unclear why.
rob