Unfortunately I don't know if its linked with OpenSSL or NSS.  How would I 
tell?  Is it a symlink?   

    On Friday, March 2, 2018 1:32 PM, Rob Crittenden via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> Its Amazon Linux 2.

You didn't fully answer the question.

Someone just yesterday on IRC was having problems with 4.5 in Amazon
Linux and it was failing due to fact that the linkage of libcurl
incorrect. For the IPA RHEL bits to work it needs to be linked against
NSS, not OpenSSL.

> I also suspect its because FreeIPA is not authoritative for the zone. 
> Which will throw things off.  Mgmt would like to use the .com zone but
> have R53 manage it.

I don't think this is it. It isn't complaining about not being able to
read the server but that it is having issues with its certificate.

rob

> 
> 
> On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
>> [ec2-user@freeipa01 <mailto:ec2-user@freeipa01> ~]$ sudo getcert list
>> Number of certificates and requests being tracked: 1.
>> Request ID '20180302161736':
>>         status: CA_UNREACHABLE
>>         ca-error: Error 58 connecting to
>>
> https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
>> Problem with the local SSL certificate.
>>         stuck: no
>>         key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>>         certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer:
>>         subject:
>>         expires: unknown
>>         pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>         post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>         track: yes
>>         auto-renew: yes
>> [ec2-user@freeipa01 <mailto:ec2-user@freeipa01> ~]$
> 
> What distro are you running? Is curl linked with NSS or OpenSSL?
> 
> rob
> 
>>
>>
>> On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users
>> <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>>
>> Andrew Meyer via FreeIPA-users wrote:
>>> While building a new freeipa server in AWS I got this error:
>>> 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed,
>>> exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
>>> 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE)
>>> 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See
>>> /var/log/ipaserver-install.log for more information
>>>
>>> I did some research and found this is possibly related to version 4.5.0? 
>>
>> Probably not. Run getcert-list to hopefully get more context to the error.
>>
>>> I have a host entry in /etc/hosts but that didn't seem to fix the
>>> problem.  Is there something else I'm missing?
>>>
>>> Do you know when 4.6.x will be released to epel/amazon?
>>
>> The usual cause for version lag in RHEL is missing dependencies. Many
>> important changes are backported so in RHEL you can never really rely on
>> the version.
>>
>>
>> rob
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
> 
>>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


   
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to