Harald Dunkel wrote:
> Hi folks,
> 
> Problem: ipa-client-install fails with
> 
> # rm -f /etc/ipa/ca.crt
> # ipa-client-install
> Discovery was successful!
> Hostname: srvl023.ac.example.com
> Realm: EXAMPLE.COM
> DNS Domain: example.com
> IPA Server: ipa1.example.com
> BaseDN: dc=example,dc=com
> 
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP server, assuming the time is in sync. Please 
> check that 123 UDP port is opened.
> User authorized to enroll computers: admin
> Password for ad...@example.com:
> Successfully retrieved CA cert
>     Subject:     CN=Certificate Authority,O=example AG,C=COM
>     Issuer:      CN=example Root CA,OU=example Certificate 
> Authority,O=example AG,C=COM
>     Valid From:  Mon Dec 28 10:35:30 2015 UTC
>     Valid Until: Mon Dec 31 23:59:59 2035 UTC
> 
> Joining realm failed: libcurl failed to execute the HTTP POST transaction, 
> explaining:  SSL certificate problem: self signed certificate in certificate 
> chain
> 
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> 
> 
> ???
> Is this the chain sent from the ipa server to the new host?
> 
> Every helpful idea would be highly appreciated.
>

What version of server and client?

I gather you have installed with an external CA? How many certs are in
/etc/ipa/ca.crt?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to