On 4/16/20 2:54 PM, Faraz Younus via FreeIPA-users wrote:
No its not the role , i'm using command module
ipa-client-install -U -w {{ freeipa_temp_kerberos_password }}
--mkhomedir --hostname {{ freeipa_client_hostname }} --ntp-server {{
ipaclient_ntp_servers }} --domain {{ ipaclient_domain }} --realm {{
ipaclient_realm }} --server {{ servername }}"
Hi,
you can access the client installation logs on the machine if you want
to troubleshoot (/var/log/ipaclient-install.log).
From your output we can see:
Connect error: TLS error -8172:Peer's certificate issuer has been marked
as not trusted by the user
Is there an existing /etc/ipa/ca.crt file on the client? If yes, does it
contain your IdM CA cert?
On CentOS 6, ipa client version is 3.x and IIRC the installer does not
support multiple CAs. On the server, does /etc/ipa/ca.crt contain
multiple certs?
flo
On Thu, Apr 16, 2020 at 5:45 PM Rafael Jeffman <rjeff...@redhat.com
<mailto:rjeff...@redhat.com>> wrote:
Hello,
Is this using ansible-freeipa roles? If so, you'll need RHEL/CentOS
7.4+ for it to work.
Rafael
On Thu, Apr 16, 2020 at 7:41 AM Faraz Younus via FreeIPA-users
<freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Hi Team,
I'm trying to add client with hostname abc.example.com
<http://abc.example.com> on freeip server(ipa1.idm.example.com
<http://ipa1.idm.example.com>) but on centos 7 it works fine.
All ports are allowed and accessible from client side
Can you please share what the exactly problem is and how it can
be fixed ?
TASK [Enroll host to FreeIPA]
**************************************************************************************************************************
failed: [sherwin-centos6-test.example.com
<http://sherwin-centos6-test.example.com>]
(item=ipa1.idm.example.com <http://ipa1.idm.example.com>) =>
{"ansible_loop_var": "item", "changed": false, "cmd":
["ipa-client-install", "-U", "-w", "8ekh0Y", "--mkhomedir",
"--hostname", "sherwin-centos6-test.example.com
<http://sherwin-centos6-test.example.com>", "--ntp-server",
"169.254.169.123", "--domain", "idm.example.com
<http://idm.example.com>", "--realm", "IDM.EXAMPLE.COM
<http://IDM.EXAMPLE.COM>", "--server", "ipa1.idm.example.com
<http://ipa1.idm.example.com>"], "delta": "0:00:00.202857",
"end": "2020-04-16 10:29:37.411081", "failed_when_result": true,
"item": "ipa1.idm.example.com <http://ipa1.idm.example.com>",
"msg": "non-zero return code", "rc": 1, "start": "2020-04-16
10:29:37.208224", "stderr": "LDAP Error: Connect error: TLS
error -8172:Peer's certificate issuer has been marked as not
trusted by the user.\nLDAP Error: Connect error: TLS error
-8172:Peer's certificate issuer has been marked as not trusted
by the user.\nFailed to verify that ipa1.idm.example.com
<http://ipa1.idm.example.com> is an IPA Server.\nThis may mean
that the remote server is not up or is not reachable due to
network or firewall settings.\nPlease make sure the following
ports are opened in the firewall settings:\n TCP: 80, 88, 389\n
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\nAlso
note that following ports are necessary for ipa-client working
properly after enrollment:\n TCP: 464\n UDP: 464, 123 (if NTP
enabled)\nInstallation failed. Rolling back changes.\nIPA client
is not configured on this system.", "stderr_lines": ["LDAP
Error: Connect error: TLS error -8172:Peer's certificate issuer
has been marked as not trusted by the user.", "LDAP Error:
Connect error: TLS error -8172:Peer's certificate issuer has
been marked as not trusted by the user.", "Failed to verify that
ipa1.idm.example.com <http://ipa1.idm.example.com> is an IPA
Server.", "This may mean that the remote server is not up or is
not reachable due to network or firewall settings.", "Please
make sure the following ports are opened in the firewall
settings:", " TCP: 80, 88, 389", " UDP: 88 (at least one of
TCP/UDP ports 88 has to be open)", "Also note that following
ports are necessary for ipa-client working properly after
enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP enabled)",
"Installation failed. Rolling back changes.", "IPA client is not
configured on this system."], "stdout": "\u001b[?1034h",
"stdout_lines": ["\u001b[?1034h"]}
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
<mailto:freeipa-users-le...@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org