Its Amazon Linux 2.
I also suspect its because FreeIPA is not authoritative for the zone. Which will throw
things off. Mgmt would like to use the .com zone but have R53 manage it.
On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Andrew Meyer via FreeIPA-users wrote:
[ec2-user@freeipa01 ~]$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20180302161736':
status: CA_UNREACHABLE
ca-error: Error 58 connecting to
https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
Problem with the local SSL certificate.
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
[ec2-user@freeipa01 ~]$
What distro are you running? Is curl linked with NSS or OpenSSL?
rob
On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Andrew Meyer via FreeIPA-users wrote:
> While building a new freeipa server in AWS I got this error:
> 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed,
> exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
> 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE)
> 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See
> /var/log/ipaserver-install.log for more information
>
> I did some research and found this is possibly related to version 4.5.0?
Probably not. Run getcert-list to hopefully get more context to the error.
> I have a host entry in /etc/hosts but that didn't seem to fix the
> problem. Is there something else I'm missing?
>
> Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many
important changes are backported so in RHEL you can never really rely on
the version.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org