Hi Charles,

On 11/16/17 7:59 PM, Charles Hedrick via FreeIPA-users wrote:
> I’ve seen the same thing. Or at least I think it seems like it’s related.
> We have three servers, all on Centos. The initial one was installed under 
> 7.3, using defaults. That caused it to generate a self-signed CA. We later 
> added a commercial cert for HTTP and LDAP. When we upgraded to 7.4, it 
> generated a self-signed cert to handle anonymous KINIT.
> We had no trouble with ipa-client-install under 7.3, but the first time I 
> tried it after the 7.4 upgrade, ipa-client-install said it was getting a cert 
> from the server, displayed a self-signed cert, and then failed with a cert 
> error. My conjecture is that it was trying to make an HTTP or LDAP connection 
> using the self-signed cert rather than the commercial cert. 
> The workaround is to generate a file containing the CA path for the 
> commercial cert, and pass it to ipa-client-install
> ipa-client-install --ca-cert-file=/home/hedrick/certs --no-sudo -w password

Unfortunately this option doesn't exist for freeipa 3.0.2 :-(.

Anyway, I highly appreciate your response.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to