URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT
stlaz commented: """ `kinit -n` still fails with my external CA setup. I found out the reason is that I have a self-sign certificate in the trust chain: ``` [36993] 1494834859.113259: PKINIT client could not verify DH reply [36993] 1494834859.113276: Preauth module pkinit (17) (real) returned: -1765328313/Failed to verify received certificate (depth 2): self signed certificate in certificate chain kinit: Invalid certificate while getting initial credentials ``` This does not happen without this patchset so the question is whether it is OK that this is happening or not. If so, we should add a check which would prevent this + probably warn our QA team because I guess this is just the way they are testing this, """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301411948
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
