On Пан, 30 вер 2024, Dirk Streubel via FreeIPA-users wrote:
Hello,
I have the following problem, maybe one of you has a solution and can
tell me where to look to solve the problem.
Here on site I have two Raspberry Pi 4, one Fedora 39 and one Fedora
41 Server Beta, both equipped with the latest Freeipa packages. Both
have identical IPA versions installed:
“ssh ipa1 -t ipa --version
VERSION: 4.12.1, API_VERSION: 2.254
Connection to ipa1 closed.”
“ssh ipa9 -t ipa --version
VERSION: 4.12.1, API_VERSION: 2.254
Connection to ipa9 closed.”
Replication from ipa1 to ipa9 with :
“ipa-replica-install --setup-ca --setup-kra --setup-dns
--forwarder=1.1.1.1 --setup-adtrust --add-agents” works fine, an
‘ipa-replica-manage re-initialize --from ipa1.linux.schnell.er" also
works, I can also access via the web frontend.
After a reboot of ipa9 does not work anymore, I get the following
error message:
“ipa-replica-manage re-initialize --from ipa1.linux.schnell.er
Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more
information
Unexpected error: cannot connect to
'ldaps://ipa9.linux.schnell.er:636': error:0A000086:SSL
routines::certificate verify failed (certificate is not yet valid)”
I then installed Fedora41 Server Beta again to rule out an error, but
that didn't help.
What I do not understand, it is a “fresh” installation and after a
reboot or restart of Fedora 41 nothing works anymore :(
Am I doing something wrong?
Yes, in a way. You are using Raspberry Pi 4 which typically has no
internal realtime clock. It means at each boot it needs to set time from
an external source. Your system has no proper time synchronization, it
defaults to the beginning of UNIX epoch (1970...) and thus the
certificate the other IPA replica uses is not yet valid from the
perspective of this replica.
See https://raspberrypi-guide.github.io/electronics/add-real-time-clock
for more details on how to fix those problems hardware-wise. On software
side you need to make sure time is updated early after boot, before
389-ds (or any other IPA service) starts. This can be done by forcing
chrony daemon to run immediately after networking is there and use some
of accessible valid NTP servers.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
