URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

stlaz commented:
`kinit -n` still fails with my setup. I found out the reason is that I have a 
self-sign certificate in the trust chain:
[36993] 1494834859.113259: PKINIT client could not verify DH reply
[36993] 1494834859.113276: Preauth module pkinit (17) (real) returned: 
-1765328313/Failed to verify received certificate (depth 2): self signed 
certificate in certificate chain
kinit: Invalid certificate while getting initial credentials
This does not happen without this patchset so the question is whether it is OK 
that this is happening or not. If so, we should add a check which would prevent 
this + probably warn our QA team because I guess this is just the way they are 
testing this,

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to