On 11/16/17 7:59 PM, Charles Hedrick via FreeIPA-users wrote:
> I’ve seen the same thing. Or at least I think it seems like it’s related.
> We have three servers, all on Centos. The initial one was installed under
> 7.3, using defaults. That caused it to generate a self-signed CA. We later
> added a commercial cert for HTTP and LDAP. When we upgraded to 7.4, it
> generated a self-signed cert to handle anonymous KINIT.
> We had no trouble with ipa-client-install under 7.3, but the first time I
> tried it after the 7.4 upgrade, ipa-client-install said it was getting a cert
> from the server, displayed a self-signed cert, and then failed with a cert
> error. My conjecture is that it was trying to make an HTTP or LDAP connection
> using the self-signed cert rather than the commercial cert.
> The workaround is to generate a file containing the CA path for the
> commercial cert, and pass it to ipa-client-install
> ipa-client-install --ca-cert-file=/home/hedrick/certs --no-sudo -w password
Unfortunately this option doesn't exist for freeipa 3.0.2 :-(.
Anyway, I highly appreciate your response.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org