Hi, My poor 2 ideas,
You could try web browsing to the IPA server to see if the cert is there (wild guess). ~/ipa and see if there is a CA cert you can import. Is the client pointing at the IPA server for its DNS? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of John Moyer [john.mo...@digitalreasoning.com] Sent: Tuesday, 19 February 2013 2:03 p.m. To: Peter Brown Cc: freeipa-users Subject: Re: [Freeipa-users] Cannot obtain CA Certificate Peter, Thanks for the response, I just checked out my security group settings, I did have some ports blocked, however, allowing them did not help. I installed mmap on the client and did a port scan of the server and got the follow: PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 389/tcp open ldap 443/tcp open https 464/tcp open kpasswd5 636/tcp open ldapssl 749/tcp open kerberos-adm I tried to enroll again and got the same error as seen here: Synchronizing time with KDC... ipa : ERROR Cannot obtain CA certificate Thanks, _____________________________________________________ John Moyer On Feb 18, 2013, at 7:24 PM, Peter Brown <rendhal...@gmail.com<mailto:rendhal...@gmail.com>> wrote: Hi John, I ran into a similar issue with setting up a 2.2 client with a 3.1 server. It turned out to be that port 80 wasn't open on the freeipa server. I would check your ports and see if the right ones are open. I also find that setting up the SRV and TXT records in your dns zone makes setting up clients a lot simpler. On 19 February 2013 00:58, John Moyer <john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>> wrote: Hello all, I am having an issue using IPA 2.2.0. I am trying to put together a proof of concept set of systems. I've stood up 2 servers on AWS. One is the server one is the client. I am using CentOS 6 to do all this testing on, with the default IPA packages provided from CentOS. I had a fully operational proof of concept finished fully scripted to be built without issues. I shutdown and started these as needed to show to people to get approval for the project. The other day the client stopped enrolling to the IPA server, I have no idea why I assume a patch pushed out broke something since it is a fully scripted install. It does get the most recent patches each time I stand it up so it definitely would pull any new patches that came out. After investigating I am getting this error when I try to manually enroll the client. I haven't been able to find any reference to this error anywhere on the net. Any help would be greatly appreciated! Let me know if any additional details are needed. PLEASE NOTE: Everything below has been sanitized [root@client ~]# ipa-client-install --domain=example.com<http://example.com/> --server=ipa1.example.com<http://ipa1.example.com/> --realm=EXAMPLE.COM<http://example.com/> --configure-ssh --configure-sshd -p ipa-bind -w "blah" -U DNS domain 'example.com<http://example.com/>' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: client.ec2.internal Realm: EXAMPLE.COM<http://example.com/> DNS Domain: digitalreasoning.com<http://digitalreasoning.com/> IPA Server: ipa1.example.com<http://ipa1.example.com/> BaseDN: dc=example,dc=com Synchronizing time with KDC... ipa : ERROR Cannot obtain CA certificate 'ldap://ipa1.example.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. Thanks, _____________________________________________________ John Moyer _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users