Thanks for the response, I just checked out my security group settings,
I did have some ports blocked, however, allowing them did not help. I
installed mmap on the client and did a port scan of the server and got the
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
389/tcp open ldap
443/tcp open https
464/tcp open kpasswd5
636/tcp open ldapssl
749/tcp open kerberos-adm
I tried to enroll again and got the same error as seen here:
Synchronizing time with KDC...
ipa : ERROR Cannot obtain CA certificate
On Feb 18, 2013, at 7:24 PM, Peter Brown <rendhal...@gmail.com> wrote:
> Hi John,
> I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
> It turned out to be that port 80 wasn't open on the freeipa server.
> I would check your ports and see if the right ones are open.
> I also find that setting up the SRV and TXT records in your dns zone makes
> setting up clients a lot simpler.
> On 19 February 2013 00:58, John Moyer <john.mo...@digitalreasoning.com> wrote:
> Hello all,
> I am having an issue using IPA 2.2.0. I am trying to put together a
> proof of concept set of systems. I've stood up 2 servers on AWS. One is
> the server one is the client. I am using CentOS 6 to do all this testing
> on, with the default IPA packages provided from CentOS. I had a fully
> operational proof of concept finished fully scripted to be built without
> issues. I shutdown and started these as needed to show to people to get
> approval for the project. The other day the client stopped enrolling to the
> IPA server, I have no idea why I assume a patch pushed out broke something
> since it is a fully scripted install. It does get the most recent patches
> each time I stand it up so it definitely would pull any new patches that came
> After investigating I am getting this error when I try to manually
> enroll the client. I haven't been able to find any reference to this error
> anywhere on the net. Any help would be greatly appreciated! Let me know if
> any additional details are needed.
> PLEASE NOTE: Everything below has been sanitized
> [root@client ~]# ipa-client-install --domain=example.com
> --server=ipa1.example.com --realm=EXAMPLE.COM --configure-ssh
> --configure-sshd -p ipa-bind -w "blah" -U
> DNS domain 'example.com' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
> Discovery was successful!
> Hostname: client.ec2.internal
> Realm: EXAMPLE.COM
> DNS Domain: digitalreasoning.com
> IPA Server: ipa1.example.com
> BaseDN: dc=example,dc=com
> Synchronizing time with KDC...
> ipa : ERROR Cannot obtain CA certificate
> 'ldap://ipa1.example.com' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> John Moyer
> Freeipa-users mailing list
Freeipa-users mailing list