Andrew Meyer wrote:
> [ec2-user@freeipa01 ~]$ curl -V
> curl 7.55.1 (x86_64-koji-linux-gnu) libcurl/7.55.1 OpenSSL/1.0.2k
> zlib/1.2.7 libidn2/2.0.4 libssh2/1.4.3 nghttp2/1.25.0
> Release-Date: 2017-08-14
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
> pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
> NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy Metalink
> [ec2-user@freeipa01 ~]$

It is linked against OpenSSL which won't work with IPA 4.5.x.

You'll need to use a different distro.

rob

> 
> 
> On Friday, March 2, 2018 3:07 PM, Rob Crittenden via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
>> Unfortunately I don't know if its linked with OpenSSL or NSS.  How would
>> I tell?  Is it a symlink? 
> 
> curl -V
> 
>>
>>
>> On Friday, March 2, 2018 1:32 PM, Rob Crittenden via FreeIPA-users
>> <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>>
>> Andrew Meyer via FreeIPA-users wrote:
>>> Its Amazon Linux 2.
>>
>> You didn't fully answer the question.
>>
>> Someone just yesterday on IRC was having problems with 4.5 in Amazon
>> Linux and it was failing due to fact that the linkage of libcurl
>> incorrect. For the IPA RHEL bits to work it needs to be linked against
>> NSS, not OpenSSL.
>>
>>> I also suspect its because FreeIPA is not authoritative for the zone. 
>>> Which will throw things off.  Mgmt would like to use the .com zone but
>>> have R53 manage it.
>>
>> I don't think this is it. It isn't complaining about not being able to
>> read the server but that it is having issues with its certificate.
>>
>> rob
>>
>>>
>>>
>>> On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users
>>> <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
>>>
>>>
>>> Andrew Meyer via FreeIPA-users wrote:
>>>> [ec2-user@freeipa01 <mailto:ec2-user@freeipa01>
> <mailto:ec2-user@freeipa01 <mailto:ec2-user@freeipa01>>
>> <mailto:ec2-user@freeipa01 <mailto:ec2-user@freeipa01>
> <mailto:ec2-user@freeipa01 <mailto:ec2-user@freeipa01>>> ~]$ sudo getcert
>> list
>>>> Number of certificates and requests being tracked: 1.
>>>> Request ID '20180302161736':
>>>>         status: CA_UNREACHABLE
>>>>         ca-error: Error 58 connecting to
>>>>
>>>
>>
> https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
>>>> Problem with the local SSL certificate.
>>>>         stuck: no
>>>>         key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>>>>         certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>>>>         CA: dogtag-ipa-ca-renew-agent
>>>>         issuer:
>>>>         subject:
>>>>         expires: unknown
>>>>         pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>>>         post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>>>         track: yes
>>>>         auto-renew: yes
>>>> [ec2-user@freeipa01 <mailto:ec2-user@freeipa01>
> <mailto:ec2-user@freeipa01 <mailto:ec2-user@freeipa01>>
>> <mailto:ec2-user@freeipa01 <mailto:ec2-user@freeipa01>
> <mailto:ec2-user@freeipa01 <mailto:ec2-user@freeipa01>>> ~]$
>>>
>>> What distro are you running? Is curl linked with NSS or OpenSSL?
>>>
>>> rob
>>>
>>>>
>>>>
>>>> On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users
>>>> <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>> wrote:
>>>>
>>>>
>>>> Andrew Meyer via FreeIPA-users wrote:
>>>>> While building a new freeipa server in AWS I got this error:
>>>>> 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed,
>>>>> exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
>>>>> 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE)
>>>>> 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See
>>>>> /var/log/ipaserver-install.log for more information
>>>>>
>>>>> I did some research and found this is possibly related to version
>> 4.5.0? 
>>>>
>>>> Probably not. Run getcert-list to hopefully get more context to the
>> error.
>>>>
>>>>> I have a host entry in /etc/hosts but that didn't seem to fix the
>>>>> problem.  Is there something else I'm missing?
>>>>>
>>>>> Do you know when 4.6.x will be released to epel/amazon?
>>>>
>>>> The usual cause for version lag in RHEL is missing dependencies. Many
>>>> important changes are backported so in RHEL you can never really rely on
>>>> the version.
>>>>
>>>>
>>>> rob
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
>>>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
>>>> To unsubscribe send an email to
>>>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>>
>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
>>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>>
> 
>>
>>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> <mailto:freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>>
>>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to