My poor 2 ideas,

You could try web browsing to the IPA server to see if the cert is there (wild 

~/ipa and see if there is a CA cert you can import.

Is the client pointing at the IPA server for its DNS?


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of John Moyer [john.mo...@digitalreasoning.com]
Sent: Tuesday, 19 February 2013 2:03 p.m.
To: Peter Brown
Cc: freeipa-users
Subject: Re: [Freeipa-users] Cannot obtain CA Certificate


Thanks for the response, I just checked out my security group settings, I did 
have some ports blocked, however, allowing them did not help.   I installed 
mmap on the client and did a port scan of the server and got the follow:

22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
389/tcp open  ldap
443/tcp open  https
464/tcp open  kpasswd5
636/tcp open  ldapssl
749/tcp open  kerberos-adm

I tried to enroll again and got the same error as seen here:

Synchronizing time with KDC...

ipa         : ERROR    Cannot obtain CA certificate

John Moyer

On Feb 18, 2013, at 7:24 PM, Peter Brown 
<rendhal...@gmail.com<mailto:rendhal...@gmail.com>> wrote:

Hi John,

I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
It turned out to be that port 80 wasn't open on the freeipa server.
I would check your ports and see if the right ones are open.
I also find that setting up the SRV and TXT records in your dns zone makes 
setting up clients a lot simpler.

On 19 February 2013 00:58, John Moyer 
<john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>> wrote:
Hello all,

I am having an issue using IPA 2.2.0.   I am trying to put together a proof of 
concept set of systems.  I've stood up 2 servers on AWS.   One is the server 
one is the client.   I am using CentOS 6 to do all this testing on, with the 
default IPA packages provided from CentOS.   I had a fully operational proof of 
concept finished fully scripted to be built without issues.   I shutdown and 
started these as needed to show to people to get approval for the project.   
The other day the client stopped enrolling to the IPA server, I have no idea 
why I assume a patch pushed out broke something since it is a fully scripted 
install. It does get the most recent patches each time I stand it up so it 
definitely would pull any new patches that came out.

After investigating I am getting this error when I try to manually enroll the 
client.  I haven't been able to find any reference to this error anywhere on 
the net.  Any help would be greatly appreciated!  Let me know if any additional 
details are needed.

PLEASE NOTE:  Everything below has been sanitized

[root@client ~]# ipa-client-install --domain=example.com<http://example.com/> 
--realm=EXAMPLE.COM<http://example.com/> --configure-ssh --configure-sshd -p 
ipa-bind -w "blah" -U
DNS domain 'example.com<http://example.com/>' is not configured for automatic 
KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: client.ec2.internal
Realm: EXAMPLE.COM<http://example.com/>
DNS Domain: digitalreasoning.com<http://digitalreasoning.com/>
IPA Server: ipa1.example.com<http://ipa1.example.com/>
BaseDN: dc=example,dc=com

Synchronizing time with KDC...

ipa         : ERROR    Cannot obtain CA certificate
'ldap://ipa1.example.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

John Moyer

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to