On 04/23/2018 10:37 PM, Ross Infinger via FreeIPA-users wrote:
I'm trying to promote a new client to a replica. I install the client
first then run ipa-replica-install. The client install goes OK but the
ipa-replica-install command fails with
RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Seems the client was able to reach the CA so I'm puzzled why the replica
cannot.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hi,
other users also hit this issue #7193 [1], and the root cause was that
the root's umask on the master was too restrictive. Can you check if
it's your case?
The workaround is to do:
chmod 644 /etc/ipa/ca.crt
chmod 440 /var/lib/ipa/ra-agent.{key|pem}
but the best is to install the master with umask 022.
HTH,
Flo
[1] https://pagure.io/freeipa/issue/7193
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
