Armstrong, Kenneth Lawrence wrote:
On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote:
Ok, if I have time, I'll try with a RHEL 5.8 client today.

As for debug output, this is what I get:

[root@r5-idmclient <mailto:root@r5-idmclient> ~]# ipa-client-install
--server --domain
--enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with
options: {'conf_ntp': False, 'domain': '',
'uninstall': False, 'force': False, 'sssd': True,
'krb5_offline_passwords': True, 'hostname': None, 'permit': False,
'server': '', 'prompt_password': False,
'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False,
'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt',
'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal':
root        : DEBUG    missing options might be asked for interactively

root        : DEBUG    Loading Index file from
root        : DEBUG    Loading StateFile from
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    Init ldap with: ldap://
root        : ERROR    LDAP Error: Connect error: TLS: hostname does not
match CN in peer certificate
root        : DEBUG    will use domain:

root        : DEBUG    will use server:

Failed to verify that is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

I do have an A record and PTR record for both

The part that confuses me (I'm still new to the innards of SSL) is this:

DAP Error: Connect error: TLS: hostname does not match CN in peer

When I look at the cert using:

openssl x509 -in /etc/ipa/ca.crt -noout -text

I see this:

Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority
             Not Before: Jul 25 18:22:53 2013 GMT
             Not After : Jul 25 18:22:53 2033 GMT
         Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority

and ...


No, you looked at the wrong certificate.

To look at it use:

# certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert


Freeipa-users mailing list

Reply via email to