Thanks for the response, I just checked out my security group settings, 
I did have some ports blocked, however, allowing them did not help.   I 
installed mmap on the client and did a port scan of the server and got the 

22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
389/tcp open  ldap
443/tcp open  https
464/tcp open  kpasswd5
636/tcp open  ldapssl
749/tcp open  kerberos-adm

I tried to enroll again and got the same error as seen here: 

Synchronizing time with KDC...

ipa         : ERROR    Cannot obtain CA certificate

John Moyer

On Feb 18, 2013, at 7:24 PM, Peter Brown <> wrote:

> Hi John,
> I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
> It turned out to be that port 80 wasn't open on the freeipa server.
> I would check your ports and see if the right ones are open.
> I also find that setting up the SRV and TXT records in your dns zone makes 
> setting up clients a lot simpler.
> On 19 February 2013 00:58, John Moyer <> wrote:
> Hello all, 
>       I am having an issue using IPA 2.2.0.   I am trying to put together a 
> proof of concept set of systems.  I've stood up 2 servers on AWS.   One is 
> the server one is the client.   I am using CentOS 6 to do all this testing 
> on, with the default IPA packages provided from CentOS.   I had a fully 
> operational proof of concept finished fully scripted to be built without 
> issues.   I shutdown and started these as needed to show to people to get 
> approval for the project.   The other day the client stopped enrolling to the 
> IPA server, I have no idea why I assume a patch pushed out broke something 
> since it is a fully scripted install. It does get the most recent patches 
> each time I stand it up so it definitely would pull any new patches that came 
> out. 
>       After investigating I am getting this error when I try to manually 
> enroll the client.  I haven't been able to find any reference to this error 
> anywhere on the net.  Any help would be greatly appreciated!  Let me know if 
> any additional details are needed. 
> PLEASE NOTE:  Everything below has been sanitized 
> [root@client ~]# ipa-client-install 
> --realm=EXAMPLE.COM --configure-ssh 
> --configure-sshd -p ipa-bind -w "blah" -U
> DNS domain '' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
> Discovery was successful!
> Hostname: client.ec2.internal
> DNS Domain:
> IPA Server:
> BaseDN: dc=example,dc=com
> Synchronizing time with KDC...
> ipa         : ERROR    Cannot obtain CA certificate
> 'ldap://' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> Thanks, 
> _____________________________________________________
> John Moyer
> _______________________________________________
> Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to