Bret Wortman wrote:
I'd like to test migrating our clients from the old IPA infrastructure
to our newer F20-based servers but am having trouble with our first
clients. Unenrolling them from the old IPA servers went fine, but when I
try to enroll them with the newer ones, the logs report:

# ipa-client-install -U --server zsipa.foo.net --domain foo.net
--password obscured --mkhomdir --enable-dns-updates
LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has
been marked as not trusted by the user.
LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has
been marked as not trusted by the user.
Failed to verify that zsipa.foo.net is an IPA Server.
This may mean that the remote server is not up or is not reachable due
to network or firewall settings.
:
:
Installation failed. Rolling back changes.
IPA client is not configured on this system.
# ps aux | grep firewalld| grep -v grep
# getenforce
Disabled
# cat /var/log/ipaclient-install.log
:
:
DEBUG [LDAP server check]
DEBUG Verifying that zsipa.foo.net (realm foo.net) is an IPA server
DEBUG Init LDAP connection with: ldap://zsipa.foo.net:389
ERROR LDAP Error: Connect error: TLS error -8173:Peer's certificate
issuer has been marked as not trusted by the user.
DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=foo.net,
kdc=zsipa.foo.net, basedn=None
DEBUG Validated servers:
DEBUG will use discovered domain: foo.net
DEBUG IPA Server not found
DEBUG [IPA Discovery] Starting IPA discovery with domain=foo.net,
servers=['zsipa.foo.net'], hostname=jsutil.foo.net
DEBUG Server and domain forced
DEBUG [Kerberos realm search]
DEBUG Search DNS for TXT record of _kerberos.foo.net
DEBUG DNS record found:
DNSResult::name:_kerberos.foo.net.,type:16,class:1,rdata={data:FOO.NET}
DEBUG Search DNS for SRV record of
_kerberos._udp.foo.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:zsipa.foo.net.}
DEBUG [LDAP server check]
DEBUG Verifying that zsipa.foo.net (realm FOO.NET)is an IPA server
DEBUG Init LDAP connection with: ldap://zsipa.foo.net:389
ERROR LDAP Error: Connect error: TLS error -8172:Peer's certificate
issuer has been marked as not trusted by the user.
DEBUG Discovery result: UNKNOWN_ERROR; server=None, domain=foo.net,
kdc=zsipa.foo.net, basedn=None
DEBUG Validated servers:
ERROR Failed to verify that zsipa.foo.net is an IPA Server.
ERROR This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
INFO Please make sure the following ports are opened in the firewall
settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
DEBUG (zspia.foo.net: Provided as option)
ERROR Installation failed. Rolling back changes.
ERROR IPA client is not configured on this system.

I removed the timestamps for readability.

It seems to me that something from the old version is hanging around and
getting in the way, or that something in the setup of the new server
isn't quite complete -- which seems more likely, and where should I be
looking for the actual cause? Is this a problem with a certificate or
with the server not being discoverable?

You don't say what release the clients are but try removing /etc/ipa/ca.crt. This is fixed in newer releases.

rob


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to