# ipa-client-install -U --server zsipa.foo.net --domain foo.net --password obscured --mkhomdir --enable-dns-updates LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Failed to verify that zsipa.foo.net is an IPA Server.This may mean that the remote server is not up or is not reachable due to network or firewall settings.
: : Installation failed. Rolling back changes. IPA client is not configured on this system. # ps aux | grep firewalld| grep -v grep # getenforce Disabled # cat /var/log/ipaclient-install.log : : DEBUG [LDAP server check] DEBUG Verifying that zsipa.foo.net (realm foo.net) is an IPA server DEBUG Init LDAP connection with: ldap://zsipa.foo.net:389ERROR LDAP Error: Connect error: TLS error -8173:Peer's certificate issuer has been marked as not trusted by the user. DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=foo.net, kdc=zsipa.foo.net, basedn=None
DEBUG Validated servers: DEBUG will use discovered domain: foo.net DEBUG IPA Server not foundDEBUG [IPA Discovery] Starting IPA discovery with domain=foo.net, servers=['zsipa.foo.net'], hostname=jsutil.foo.net
DEBUG Server and domain forced DEBUG [Kerberos realm search] DEBUG Search DNS for TXT record of _kerberos.foo.netDEBUG DNS record found: DNSResult::name:_kerberos.foo.net.,type:16,class:1,rdata={data:FOO.NET} DEBUG Search DNS for SRV record of _kerberos._udp.foo.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:zsipa.foo.net.}
DEBUG [LDAP server check] DEBUG Verifying that zsipa.foo.net (realm FOO.NET)is an IPA server DEBUG Init LDAP connection with: ldap://zsipa.foo.net:389ERROR LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=foo.net, kdc=zsipa.foo.net, basedn=None
DEBUG Validated servers: ERROR Failed to verify that zsipa.foo.net is an IPA Server.ERROR This may mean that the remote server is not up or is not reachable due to network or firewall settings. INFO Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464 UDP: 464, 123 (if NTP enabled) DEBUG (zspia.foo.net: Provided as option) ERROR Installation failed. Rolling back changes. ERROR IPA client is not configured on this system.
I removed the timestamps for readability.It seems to me that something from the old version is hanging around and getting in the way, or that something in the setup of the new server isn't quite complete -- which seems more likely, and where should I be looking for the actual cause? Is this a problem with a certificate or with the server not being discoverable?
-- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users