Andrew Meyer via FreeIPA-users wrote:
> Unfortunately I don't know if its linked with OpenSSL or NSS.  How would
> I tell?  Is it a symlink?  

curl -V

> 
> 
> On Friday, March 2, 2018 1:32 PM, Rob Crittenden via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
>> Its Amazon Linux 2.
> 
> You didn't fully answer the question.
> 
> Someone just yesterday on IRC was having problems with 4.5 in Amazon
> Linux and it was failing due to fact that the linkage of libcurl
> incorrect. For the IPA RHEL bits to work it needs to be linked against
> NSS, not OpenSSL.
> 
>> I also suspect its because FreeIPA is not authoritative for the zone. 
>> Which will throw things off.  Mgmt would like to use the .com zone but
>> have R53 manage it.
> 
> I don't think this is it. It isn't complaining about not being able to
> read the server but that it is having issues with its certificate.
> 
> rob
> 
>>
>>
>> On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users
>> <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>>
>> Andrew Meyer via FreeIPA-users wrote:
>>> [ec2-user@freeipa01 <mailto:ec2-user@freeipa01>
> <mailto:ec2-user@freeipa01 <mailto:ec2-user@freeipa01>> ~]$ sudo getcert
> list
>>> Number of certificates and requests being tracked: 1.
>>> Request ID '20180302161736':
>>>         status: CA_UNREACHABLE
>>>         ca-error: Error 58 connecting to
>>>
>>
> https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
>>> Problem with the local SSL certificate.
>>>         stuck: no
>>>         key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>>>         certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>>>         CA: dogtag-ipa-ca-renew-agent
>>>         issuer:
>>>         subject:
>>>         expires: unknown
>>>         pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>>         post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>>         track: yes
>>>         auto-renew: yes
>>> [ec2-user@freeipa01 <mailto:ec2-user@freeipa01>
> <mailto:ec2-user@freeipa01 <mailto:ec2-user@freeipa01>> ~]$
>>
>> What distro are you running? Is curl linked with NSS or OpenSSL?
>>
>> rob
>>
>>>
>>>
>>> On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users
>>> <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
>>>
>>>
>>> Andrew Meyer via FreeIPA-users wrote:
>>>> While building a new freeipa server in AWS I got this error:
>>>> 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed,
>>>> exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
>>>> 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE)
>>>> 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See
>>>> /var/log/ipaserver-install.log for more information
>>>>
>>>> I did some research and found this is possibly related to version
> 4.5.0? 
>>>
>>> Probably not. Run getcert-list to hopefully get more context to the
> error.
>>>
>>>> I have a host entry in /etc/hosts but that didn't seem to fix the
>>>> problem.  Is there something else I'm missing?
>>>>
>>>> Do you know when 4.6.x will be released to epel/amazon?
>>>
>>> The usual cause for version lag in RHEL is missing dependencies. Many
>>> important changes are backported so in RHEL you can never really rely on
>>> the version.
>>>
>>>
>>> rob
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>>
>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
> 
>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to