On 06/04/2014 02:07 PM, Rob Crittenden wrote:
Michael Gregg wrote:
I was trying to join my rhel 5 client to a rhel 7 domain, and getting
the following error:
[root@oracle ~]# ipa-client-install -p admin -w <pw> -U
root : ERROR LDAP Error: Connect error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
root : ERROR LDAP Error: Connect error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Unable to find IPA Server to join
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Tried to verify the cert with this:
openssl s_client -host iota.testrelm.test -port 443 -CAfile /etc/ipa/ca.crt
This came up with this error code:
Verify return code: 9 (certificate is not yet valid)
After syncing the clock, everything worked al-right. I tried googling
around a bit, but I couldn't find any specific articles about this problem.
Does this sound like a troubleshooting and repair step that is
documented somewhere already?
I don't recall any documentation on this. The time should be
synchronized before that happens. Can you send me the full
ipaclient-install.log?
rob
Sure thing. The log is not very long. It is attached.
2013-06-04 15:17:38,797 DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': False, 'preserve_sssd': False, 'debug': False, 'on_master': False, 'ca_cert_file': None, 'realm_name': None, 'unattended': True, 'ntp_server': None, 'principal': 'admin'}
2013-06-04 15:17:38,797 DEBUG missing options might be asked for interactively later
2013-06-04 15:17:38,797 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2013-06-04 15:17:38,797 DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2013-06-04 15:17:38,797 DEBUG [IPA Discovery]
2013-06-04 15:17:38,798 DEBUG Starting IPA discovery with domain=None, servers=None, hostname=oracle.testrelm.test
2013-06-04 15:17:38,798 DEBUG [ipadnssearchldap(testrelm.test)]
2013-06-04 15:17:38,799 DEBUG [ipadnssearchkrb]
2013-06-04 15:17:38,801 DEBUG [ipacheckldap]
2013-06-04 15:17:38,802 DEBUG Verifying that gamma.testrelm.test (realm TESTRELM.TEST) is an IPA server
2013-06-04 15:17:38,802 DEBUG Init ldap with: ldap://gamma.testrelm.test:389
2013-06-04 15:17:38,813 ERROR LDAP Error: Connect error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2013-06-04 15:17:38,813 WARNING Skip gamma.testrelm.test: cannot verify if this is an IPA server
2013-06-04 15:17:38,813 DEBUG Verifying that iota.testrelm.test (realm TESTRELM.TEST) is an IPA server
2013-06-04 15:17:38,814 DEBUG Init ldap with: ldap://iota.testrelm.test:389
2013-06-04 15:17:38,816 ERROR LDAP Error: Connect error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2013-06-04 15:17:38,816 WARNING Skip iota.testrelm.test: cannot verify if this is an IPA server
2013-06-04 15:17:38,816 DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=testrelm.test, kdc=iota.testrelm.test,gamma.testrelm.test, basedn=None
2013-06-04 15:17:38,816 DEBUG Validated servers:
2013-06-04 15:17:38,816 DEBUG will use domain: testrelm.test
2013-06-04 15:17:38,817 DEBUG IPA Server not found
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
