Hi Charles,
On 11/16/17 7:59 PM, Charles Hedrick via FreeIPA-users wrote:
I’ve seen the same thing. Or at least I think it seems like it’s related.
We have three servers, all on Centos. The initial one was installed under 7.3, using defaults. That caused it to generate a self-signed CA. We later added a commercial cert for HTTP and LDAP. When we upgraded to 7.4, it generated a self-signed cert to handle anonymous KINIT.
We had no trouble with ipa-client-install under 7.3, but the first time I tried it after the 7.4 upgrade, ipa-client-install said it was getting a cert from the server, displayed a self-signed cert, and then failed with a cert error. My conjecture is that it was trying to make an HTTP or LDAP connection using the self-signed cert rather than the commercial cert.
The workaround is to generate a file containing the CA path for the commercial cert, and pass it to ipa-client-install
ipa-client-install --ca-cert-file=/home/hedrick/certs --no-sudo -w password
Unfortunately this option doesn't exist for freeipa 3.0.2 :-(.
Anyway, I highly appreciate your response.
Regards Harri