Armstrong, Kenneth Lawrence wrote:
On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote:
On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote:
Armstrong, Kenneth Lawrence wrote:
> Hi all,
>
> I have a RHEL 6 IdM test domain set up.  In production, we have RHEL 5
> and RHEL 4 clients as well, so I was going to test that out.
>
> However, I can not get a RHEL 5.9 client to join the domain.
>
> [root@r5-idmclient <mailto:root@r5-idmclient> ~]# ipa-client-install
> --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
> root        : ERROR    LDAP Error: Connect error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
> This may mean that the remote server is not up or is not reachable
> due to network or firewall settings.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> Digging a little bit and I see that the ipa-client is an older version:
>
> ipa-client-2.1.3-5.el5_9.2
>
> Doing a yum update/upgrade doesn't show a newer version.
>
> I was considering a manual installation, but the ipa-admintools don't
> appear to be available for RHEL 5.9?
>
> Is there a way to make this work?

I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It
should be possible to use the 2.1.3 client in EL 5 to enroll against a
3.x server.

Otherwise we probably need more context from
/var/log/ipaclient-install.log to see how the CA was retrieved.

rob


Thanks for the tip.  I tried it again, and it still failed.  End of
the log:

[root@r5-idmclient <mailto:root@r5-idmclient> ~]# tail -20
/var/log/ipaclient-install.log
  lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU


2013-07-22 13:45:36,982 DEBUG args=kinit
ad...@lnxrealmtest.liberty.edu <mailto:ad...@lnxrealmtest.liberty.edu>
2013-07-22 13:45:36,983 DEBUG stdout=Password for
ad...@lnxrealmtest.liberty.edu <mailto:ad...@lnxrealmtest.liberty.edu>:

2013-07-22 13:45:36,983 DEBUG stderr=
2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from
ldap://lnxrealmtest01.liberty.edu
2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert
    Subject:     /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority
    Issuer:      /DC=edu/DC=liberty/CN=LUPKI01

2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s
lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu
2013-07-22 13:45:37,345 DEBUG stdout=
2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the
HTTP POST transaction.  SSL certificate problem, verify that the CA
cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed

2013-07-22 13:45:37,490 DEBUG args=kdestroy
2013-07-22 13:45:37,491 DEBUG stdout=
2013-07-22 13:45:37,491 DEBUG stderr=
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

I just stood up a brand new RHEL 6 client, and it works just fine, so
there is something amiss with RHEL 5 on this.  The time on the RHEL 5
client and the RHEL 6 IdM server is the same, and the cert is valid, so
I don't know why the RHEL 5 system does not like the cert.  Could it be
something with the versions of packages installed on it?

libipa_hbac-1.5.1-58.el5
ipa-client-2.1.3-5.el5_9.2
curl-7.15.5-17.el5_9
openssl-0.9.8e-26.el5_9.1

I have the feeling that OpenSSL doesn't like your CA certificate for some reason.

Can you try this:

# openssl s_client -host lnxrealmtest01.liberty.edu -port 443 -CAfile /etc/ipa/ca.crt

Adding the -debug flag will add even more output.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to