Harald Dunkel wrote:
> Hi folks,
> Problem: ipa-client-install fails with
> # rm -f /etc/ipa/ca.crt
> # ipa-client-install
> Discovery was successful!
> Hostname: srvl023.ac.example.com
> Realm: EXAMPLE.COM
> DNS Domain: example.com
> IPA Server: ipa1.example.com
> BaseDN: dc=example,dc=com
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP server, assuming the time is in sync. Please
> check that 123 UDP port is opened.
> User authorized to enroll computers: admin
> Password for ad...@example.com:
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=example AG,C=COM
> Issuer: CN=example Root CA,OU=example Certificate
> Authority,O=example AG,C=COM
> Valid From: Mon Dec 28 10:35:30 2015 UTC
> Valid Until: Mon Dec 31 23:59:59 2035 UTC
> Joining realm failed: libcurl failed to execute the HTTP POST transaction,
> explaining: SSL certificate problem: self signed certificate in certificate
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> Is this the chain sent from the ipa server to the new host?
> Every helpful idea would be highly appreciated.
What version of server and client?
I gather you have installed with an external CA? How many certs are in
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project