Its Amazon Linux 2.
I also suspect its because FreeIPA is not authoritative for the zone.  Which 
will throw things off.  Mgmt would like to use the .com zone but have R53 
manage it. 

    On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> [ec2-user@freeipa01 ~]$ sudo getcert list
> Number of certificates and requests being tracked: 1.
> Request ID '20180302161736':
>         status: CA_UNREACHABLE
>         ca-error: Error 58 connecting to
> https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
> Problem with the local SSL certificate.
>         stuck: no
>         key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>         certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer:
>         subject:
>         expires: unknown
>         pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>         post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>         track: yes
>         auto-renew: yes
> [ec2-user@freeipa01 ~]$

What distro are you running? Is curl linked with NSS or OpenSSL?

rob

> 
> 
> On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
>> While building a new freeipa server in AWS I got this error:
>> 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed,
>> exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
>> 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE)
>> 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See
>> /var/log/ipaserver-install.log for more information
>>
>> I did some research and found this is possibly related to version 4.5.0? 
> 
> Probably not. Run getcert-list to hopefully get more context to the error.
> 
>> I have a host entry in /etc/hosts but that didn't seem to fix the
>> problem.  Is there something else I'm missing?
>>
>> Do you know when 4.6.x will be released to epel/amazon?
> 
> The usual cause for version lag in RHEL is missing dependencies. Many
> important changes are backported so in RHEL you can never really rely on
> the version.
> 
> 
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to