[ec2-user@freeipa01 ~]$ curl -Vcurl 7.55.1 (x86_64-koji-linux-gnu) libcurl/7.55.1 OpenSSL/1.0.2k zlib/1.2.7 libidn2/2.0.4 libssh2/1.4.3 nghttp2/1.25.0Release-Date: 2017-08-14Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftpFeatures: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy Metalink[ec2-user@freeipa01 ~]$
On Friday, March 2, 2018 3:07 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > Unfortunately I don't know if its linked with OpenSSL or NSS. How would > I tell? Is it a symlink? curl -V > > > On Friday, March 2, 2018 1:32 PM, Rob Crittenden via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > > Andrew Meyer via FreeIPA-users wrote: >> Its Amazon Linux 2. > > You didn't fully answer the question. > > Someone just yesterday on IRC was having problems with 4.5 in Amazon > Linux and it was failing due to fact that the linkage of libcurl > incorrect. For the IPA RHEL bits to work it needs to be linked against > NSS, not OpenSSL. > >> I also suspect its because FreeIPA is not authoritative for the zone. >> Which will throw things off. Mgmt would like to use the .com zone but >> have R53 manage it. > > I don't think this is it. It isn't complaining about not being able to > read the server but that it is having issues with its certificate. > > rob > >> >> >> On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >> >> >> Andrew Meyer via FreeIPA-users wrote: >>> [ec2-user@freeipa01 <mailto:ec2-user@freeipa01> > <mailto:ec2-user@freeipa01 <mailto:ec2-user@freeipa01>> ~]$ sudo getcert > list >>> Number of certificates and requests being tracked: 1. >>> Request ID '20180302161736': >>> status: CA_UNREACHABLE >>> ca-error: Error 58 connecting to >>> >> > https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview: >>> Problem with the local SSL certificate. >>> stuck: no >>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' >>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: >>> subject: >>> expires: unknown >>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >>> track: yes >>> auto-renew: yes >>> [ec2-user@freeipa01 <mailto:ec2-user@freeipa01> > <mailto:ec2-user@freeipa01 <mailto:ec2-user@freeipa01>> ~]$ >> >> What distro are you running? Is curl linked with NSS or OpenSSL? >> >> rob >> >>> >>> >>> On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users >>> <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>> wrote: >>> >>> >>> Andrew Meyer via FreeIPA-users wrote: >>>> While building a new freeipa server in AWS I got this error: >>>> 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, >>>> exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) >>>> 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) >>>> 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See >>>> /var/log/ipaserver-install.log for more information >>>> >>>> I did some research and found this is possibly related to version > 4.5.0? >>> >>> Probably not. Run getcert-list to hopefully get more context to the > error. >>> >>>> I have a host entry in /etc/hosts but that didn't seem to fix the >>>> problem. Is there something else I'm missing? >>>> >>>> Do you know when 4.6.x will be released to epel/amazon? >>> >>> The usual cause for version lag in RHEL is missing dependencies. Many >>> important changes are backported so in RHEL you can never really rely on >>> the version. >>> >>> >>> rob >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> >>> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>> >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> >> <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>> >>> <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> >> <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>>> >> >>> >>> >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> >>> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> >> <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > >>> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> >> <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> >> <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>> >> >> >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org