Harald Dunkel wrote: > Hi folks, > > Problem: ipa-client-install fails with > > # rm -f /etc/ipa/ca.crt > # ipa-client-install > Discovery was successful! > Hostname: srvl023.ac.example.com > Realm: EXAMPLE.COM > DNS Domain: example.com > IPA Server: ipa1.example.com > BaseDN: dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. Please > check that 123 UDP port is opened. > User authorized to enroll computers: admin > Password for ad...@example.com: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=example AG,C=COM > Issuer: CN=example Root CA,OU=example Certificate > Authority,O=example AG,C=COM > Valid From: Mon Dec 28 10:35:30 2015 UTC > Valid Until: Mon Dec 31 23:59:59 2035 UTC > > Joining realm failed: libcurl failed to execute the HTTP POST transaction, > explaining: SSL certificate problem: self signed certificate in certificate > chain > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > ??? > Is this the chain sent from the ipa server to the new host? > > Every helpful idea would be highly appreciated. >
What version of server and client? I gather you have installed with an external CA? How many certs are in /etc/ipa/ca.crt? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
