Hello,
I have the following problem, maybe one of you has a solution and can tell me where to look to solve the problem.
Here on site I have two Raspberry Pi 4, one Fedora 39 and one Fedora 41 Server Beta, both equipped with the latest Freeipa packages. Both have identical IPA versions installed:
“ssh ipa1 -t ipa --version VERSION: 4.12.1, API_VERSION: 2.254 Connection to ipa1 closed.”
“ssh ipa9 -t ipa --version VERSION: 4.12.1, API_VERSION: 2.254 Connection to ipa9 closed.”
Replication from ipa1 to ipa9 with : “ipa-replica-install --setup-ca --setup-kra --setup-dns --forwarder=1.1.1.1 --setup-adtrust --add-agents” works fine, an ‘ipa-replica-manage re-initialize --from ipa1.linux.schnell.er" also works, I can also access via the web frontend. After a reboot of ipa9 does not work anymore, I get the following error message: “ipa-replica-manage re-initialize --from ipa1.linux.schnell.er Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: cannot connect to 'ldaps://ipa9.linux.schnell.er:636': error:0A000086:SSL routines::certificate verify failed (certificate is not yet valid)”
I then installed Fedora41 Server Beta again to rule out an error, but that didn't help. What I do not understand, it is a “fresh” installation and after a reboot or restart of Fedora 41 nothing works anymore :(
Am I doing something wrong?
Kind regards Dirk
On Пан, 30 вер 2024, Dirk Streubel via FreeIPA-users wrote:
Hello,
I have the following problem, maybe one of you has a solution and can tell me where to look to solve the problem.
Here on site I have two Raspberry Pi 4, one Fedora 39 and one Fedora 41 Server Beta, both equipped with the latest Freeipa packages. Both have identical IPA versions installed:
“ssh ipa1 -t ipa --version VERSION: 4.12.1, API_VERSION: 2.254 Connection to ipa1 closed.”
“ssh ipa9 -t ipa --version VERSION: 4.12.1, API_VERSION: 2.254 Connection to ipa9 closed.”
Replication from ipa1 to ipa9 with : “ipa-replica-install --setup-ca --setup-kra --setup-dns --forwarder=1.1.1.1 --setup-adtrust --add-agents” works fine, an ‘ipa-replica-manage re-initialize --from ipa1.linux.schnell.er" also works, I can also access via the web frontend. After a reboot of ipa9 does not work anymore, I get the following error message: “ipa-replica-manage re-initialize --from ipa1.linux.schnell.er Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: cannot connect to 'ldaps://ipa9.linux.schnell.er:636': error:0A000086:SSL routines::certificate verify failed (certificate is not yet valid)”
I then installed Fedora41 Server Beta again to rule out an error, but that didn't help. What I do not understand, it is a “fresh” installation and after a reboot or restart of Fedora 41 nothing works anymore :(
Am I doing something wrong?
Yes, in a way. You are using Raspberry Pi 4 which typically has no internal realtime clock. It means at each boot it needs to set time from an external source. Your system has no proper time synchronization, it defaults to the beginning of UNIX epoch (1970...) and thus the certificate the other IPA replica uses is not yet valid from the perspective of this replica.
See https://raspberrypi-guide.github.io/electronics/add-real-time-clock for more details on how to fix those problems hardware-wise. On software side you need to make sure time is updated early after boot, before 389-ds (or any other IPA service) starts. This can be done by forcing chrony daemon to run immediately after networking is there and use some of accessible valid NTP servers.
Am 30.09.24 um 10:15 AM schrieb Alexander Bokovoy via FreeIPA-users:
On Пан, 30 вер 2024, Dirk Streubel via FreeIPA-users wrote:
Hello,
I have the following problem, maybe one of you has a solution and can tell me where to look to solve the problem.
Here on site I have two Raspberry Pi 4, one Fedora 39 and one Fedora 41 Server Beta, both equipped with the latest Freeipa packages. Both have identical IPA versions installed:
“ssh ipa1 -t ipa --version VERSION: 4.12.1, API_VERSION: 2.254 Connection to ipa1 closed.”
“ssh ipa9 -t ipa --version VERSION: 4.12.1, API_VERSION: 2.254 Connection to ipa9 closed.”
Replication from ipa1 to ipa9 with : “ipa-replica-install --setup-ca --setup-kra --setup-dns --forwarder=1.1.1.1 --setup-adtrust --add-agents” works fine, an ‘ipa-replica-manage re-initialize --from ipa1.linux.schnell.er" also works, I can also access via the web frontend. After a reboot of ipa9 does not work anymore, I get the following error message: “ipa-replica-manage re-initialize --from ipa1.linux.schnell.er Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: cannot connect to 'ldaps://ipa9.linux.schnell.er:636': error:0A000086:SSL routines::certificate verify failed (certificate is not yet valid)”
I then installed Fedora41 Server Beta again to rule out an error, but that didn't help. What I do not understand, it is a “fresh” installation and after a reboot or restart of Fedora 41 nothing works anymore :(
Am I doing something wrong?
Yes, in a way. You are using Raspberry Pi 4 which typically has no internal realtime clock. It means at each boot it needs to set time from an external source. Your system has no proper time synchronization, it defaults to the beginning of UNIX epoch (1970...) and thus the certificate the other IPA replica uses is not yet valid from the perspective of this replica.
See https://raspberrypi-guide.github.io/electronics/add-real-time-clock for more details on how to fix those problems hardware-wise. On software side you need to make sure time is updated early after boot, before 389-ds (or any other IPA service) starts. This can be done by forcing chrony daemon to run immediately after networking is there and use some of accessible valid NTP servers.
I hadn't even thought about the fact that the time and date on the Pi4 are not correct and therefore nothing works. :( As soon as you set the time correctly, everything works :) Many thanks for the quick help Alexander :)
Kind regards Dirk
freeipa-users@lists.fedorahosted.org