Armstrong, Kenneth Lawrence wrote:
On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
Ok, if I have time, I'll try with a RHEL 5.8 client today.


As for debug output, this is what I get:

[root@r5-idmclient <mailto:root@r5-idmclient> ~]# ipa-client-install
--server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu
--enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu',
'uninstall': False, 'force': False, 'sssd': True,
'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False,
'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
None}
root        : DEBUG    missing options might be asked for interactively
later

root        : DEBUG    Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    Init ldap with: ldap://lnxrealmtest01.liberty.edu:389
root        : ERROR    LDAP Error: Connect error: TLS: hostname does not
match CN in peer certificate
root        : DEBUG    will use domain: lnxrealmtest.liberty.edu

root        : DEBUG    will use server: lnxrealmtest01.liberty.edu

Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.


I do have an A record and PTR record for both lnxrealmtest01.liberty.edu
and lnxrealmtest.lnxrealmtest.liberty.edu.

The part that confuses me (I'm still new to the innards of SSL) is this:

DAP Error: Connect error: TLS: hostname does not match CN in peer
certificate

When I look at the cert using:

openssl x509 -in /etc/ipa/ca.crt -noout -text

I see this:

Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
         Validity
             Not Before: Jul 25 18:22:53 2013 GMT
             Not After : Jul 25 18:22:53 2033 GMT
         Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority


and ...

OCSP - URI:http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp

No, you looked at the wrong certificate.

To look at it use:

# certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to