Thanks for your update.
Tried copying the ca.crt file to /et/ipa and the installation went fine.
Thanks and Regards,
On Mon, Jul 31, 2017 at 3:58 PM, Florence Blanc-Renaud <f...@redhat.com>
> On 07/31/2017 03:38 AM, Alka Murali via FreeIPA-users wrote:
>> Hello Florence,
>> I have checked the output for the ldapsearch command and I can see the
>> IPA CA as well as the third party CA on my /etc/ipa/ca.crt file on my IPA
>> Even I tried installing the client by giving the option ca-cert-file=""
>> with my ca.crt file in IPA Server copied locally to my IPA Client in one
>> path. However, it was still giving the certificate as untrusted. Is there
>> any issue in enrolling IPA Client Version 3.3 with IPA Server version 4.4
>> with third part Certificate installed? If I use self-sgined CA of IPA
>> Server alone, the enrolment is carried on successfully.
>> Awaiting your reply.
>> Thanks and Regards,
>> Alka Murali
> IPA client 3.3 does not support installation with multiple CA certs (see
> BZ 1457402 ). In your case, as you installed IPA server with an embedded
> CA and then changed the HTTP and LDAP certificates with 3rd-part certs, you
> end up with 2 CAs (the one embedded in IPA and the 3rd part CA), and the
> tool ipa-client-install is not able to download both.
> You can try to follow this note: How to use a certificate from a third
> party Certificate Authority (CA) with Apache on IdM server  or the
> following procedure:
> - copy /etc/ipa/ca.crt from the master to the client
> - run ipa-client-install without the --ca-cert-file option. In this case,
> ipa-client-install reuses the existing /etc/ipa/ca.crt file and should
> complete successfully.
>  https://bugzilla.redhat.com/show_bug.cgi?id=1457402
>  https://access.redhat.com/solutions/2090871
> On Fri, Jul 28, 2017 at 10:17 PM, Florence Blanc-Renaud <f...@redhat.com
>> <mailto:f...@redhat.com>> wrote:
>> On 07/28/2017 03:51 AM, Alka Murali via FreeIPA-users wrote:
>> I Cannot enrol and do the ipa-client-install on Ubuntu 14.04 to
>> IPA Server (4.4). My IPA Server is having third party
>> certificates for HTTP/LDAP. I have installed it using the
>> suggestions in
>> Other version of Ubuntu like 16.04 is enrolled fine.
>> Here is the error message that I get during the installation
>> cert validation failed for
>> "CN=*.*.*,O=*.*,((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
>> issuer has been marked as not trusted by the user.)
>> Cannot connect to the server due to generic error: cannot
>> connect to 'https://*.*.*.*/ipa/xml
>> <https://%2A.%2A.%2A.%2A/ipa/xml>': [Errno -8172]
>> (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
>> marked as not trusted by the user.
>> Installation failed. Rolling back changes.
>> certmonger failed to start: [Errno 2] No such file or directory:
>> certmonger failed to stop: [Errno 2] No such file or directory:
>> Unenrolling client from IPA server
>> Unenrolling host failed: Error getting default Kerberos realm:
>> Configuration file does not specify default realm.
>> Removing Kerberos service principals from /etc/krb5.keytab
>> Disabling client Kerberos and LDAP configurations
>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved
>> to /etc/sssd/sssd.conf.deleted
>> SSSD service could not be stopped
>> Restoring client configuration files
>> nscd daemon is not installed, skip configuration
>> nslcd daemon is not installed, skip configuration
>> Client uninstall complete.
>> Is it due to my third part cert? If so, please provide a
>> suggestion so that I can enrol my Ubuntu Client to my IPA Server.
>> I am attaching the logs for your reference.
>> FreeIPA-users mailing list --
>> To unsubscribe send an email to
>> from the logs we can see that the client retrieved IPA CA cert:
>> 2017-07-27T07:28:25Z INFO Successfully retrieved CA cert
>> Subject: CN=Certificate Authority,O=*.*.*
>> Issuer: CN=Certificate Authority,O=*.*.*
>> Valid From: Tue Apr 11 01:18:51 2017 UTC
>> Valid Until: Sat Apr 11 01:18:51 2037 UTC
>> but there is no trace of the 3rd-part CA which should also be
>> displayed here.
>> If there is a file /etc/ipa/ca.crt left on the client after the
>> unsuccessful installation, can you check if it also contains the 3rd
>> part CA cert (ie the one that you added using ipa-cacert-manage)? If
>> not, you can check on the IPA server with (replace BASEDN with your
>> basedn that can be found in /etc/ipa/default.conf):
>> $ ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,$BASEDN
>> The output should contain an entry corresponding to the 3rd-part CA
>> cert. If it is missing, make sure that you run ipa-cacert-manage
>> install and ipa-certupdate to load the 3rd part CA before enrolling
>> the client (ipa-cacert-manage on one of IPA servers, ipa-certupdate
>> on all server/replicas/clients).
>> FreeIPA-users mailing list -- firstname.lastname@example.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org