Andrew Meyer via FreeIPA-users wrote:
> [ec2-user@freeipa01 ~]$ sudo getcert list
> Number of certificates and requests being tracked: 1.
> Request ID '20180302161736':
>         status: CA_UNREACHABLE
>         ca-error: Error 58 connecting to
> https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
> Problem with the local SSL certificate.
>         stuck: no
>         key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>         certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer:
>         subject:
>         expires: unknown
>         pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>         post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>         track: yes
>         auto-renew: yes
> [ec2-user@freeipa01 ~]$

What distro are you running? Is curl linked with NSS or OpenSSL?

rob

> 
> 
> On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
>> While building a new freeipa server in AWS I got this error:
>> 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed,
>> exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
>> 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE)
>> 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See
>> /var/log/ipaserver-install.log for more information
>>
>> I did some research and found this is possibly related to version 4.5.0? 
> 
> Probably not. Run getcert-list to hopefully get more context to the error.
> 
>> I have a host entry in /etc/hosts but that didn't seem to fix the
>> problem.  Is there something else I'm missing?
>>
>> Do you know when 4.6.x will be released to epel/amazon?
> 
> The usual cause for version lag in RHEL is missing dependencies. Many
> important changes are backported so in RHEL you can never really rely on
> the version.
> 
> 
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to