[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
None via FreeIPA-users wrote: > Further update: I'm pretty sure I found out the problem. > > Basically, my old server is running pyasn1==0.2.3 and the new one has > pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change > to __init__ and a few other functions in 0.3.1, so I guess FreeIPA 4.3.1 > isn't compatible with these changes. > > I've got a ticket open at https://pagure.io/freeipa/issue/7079 about this. Nice catch. 0.3.1 was just released a few days ago and I haven't had a chance to try packaging it for Fedora yet much less do any compatibility testing. Given the API changes I'll need to coordinate the update with the other module users, including freeIPA. In the meantime it might be a good idea for packagers to specifically require 0.2.3 for now. rob > > - greg > > On 2017-08-01 08:15, g...@greg-gilbert.com wrote: > >> Slight update: I tried precreating /etc/ipa/ca.crt, and when running >> the install, I get the same Python error I did before: >> >> File "/usr/sbin/ipa-client-install", line 3099, in >> sys.exit(main()) >> File "/usr/sbin/ipa-client-install", line 3080, in main >> rval = install(options, env, fstore, statestore) >> File "/usr/sbin/ipa-client-install", line 2727, in install >> api.finalize() >> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line >> 656, in finalize >> self.__do_if_not_done('load_plugins') >> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line >> 370, in __do_if_not_done >> getattr(self, name)() >> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line >> 534, in load_plugins >> self.import_plugins(module) >> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line >> 572, in import_plugins >> module = importlib.import_module(name) >> File "/usr/lib/python2.7/importlib/__init__.py", line 37, in >> import_module >> __import__(name) >> File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line >> 29, in >> from ipalib import pkcs10 >> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, >> in >> class _PrincipalName(univ.Sequence): >> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, >> in _PrincipalName >> namedtype.NamedType('name-string', >> univ.SequenceOf(char.GeneralString()).subtype( >> TypeError: __init__() takes exactly 1 argument (2 given) >> >> >> On 2017-08-01 07:07, g...@greg-gilbert.com wrote: >> >> Hey, >> >> I checked the logs and found this: >> >> conn=3295 op=3 SRCH >> base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" >> scope=2 >> filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" >> attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey >> cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" >> conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0 >> >> So that looks like it's finding an entry, I guess. >> >> All of the lines have err=0 except these: >> >> conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind >> in progress >> conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI >> conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind >> in progress >> conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI >> >> The server is running FreeIPA 4.4: >> >> $ ipa --version >> VERSION: 4.4.0, API_VERSION: 2.213 >> $ ipa-client-install --version >> 4.4.0 >> >> - greg >> >> On 2017-08-01 05:13, Florence Blanc-Renaud wrote: >> >> On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: >> >> I'm really at a loss on this one. >> >> I have a bunch of old server images (from 2 months ago) >> that can run ipa-client-install just fine. When I created >> a new image, though, I get this error (from the install logs): >> >> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache >> DEBUG retrieving schema for SchemaCache >> url=ldap://ipa.services.example:389 >> conn=> 0x7ff6a4e67560> >> DEBUG get_ca_certs_from_ldap() error: >> 'ipa.services.example' doesn't have a certificate. >> DEBUG 'ipa.services.example' doesn't have a certificate. >> ERROR In unattended mode without a One Time Password (OTP) >> or without --ca-cert-file >> You must specify --force to retrieve the CA cert using HTTP >> ERROR Cannot obtain CA certificate >> HTTP certificate download requires --force >> ERROR Installation failed. Rolling back changes. >> ERROR IPA client is not configured on this system. >> >> For comparison, the old images work as expected: >> >> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache >> DEBUG retrieving schema for SchemaCache >>
[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
Further update: I'm pretty sure I found out the problem. Basically, my old server is running pyasn1==0.2.3 and the new one has pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change to __init__ and a few other functions in 0.3.1, so I guess FreeIPA 4.3.1 isn't compatible with these changes. I've got a ticket open at https://pagure.io/freeipa/issue/7079 about this. - greg On 2017-08-01 08:15, g...@greg-gilbert.com wrote: > Slight update: I tried precreating /etc/ipa/ca.crt, and when running the > install, I get the same Python error I did before: > > File "/usr/sbin/ipa-client-install", line 3099, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 3080, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 2727, in install > api.finalize() > File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in > finalize > self.__do_if_not_done('load_plugins') > File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in > __do_if_not_done > getattr(self, name)() > File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in > load_plugins > self.import_plugins(module) > File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in > import_plugins > module = importlib.import_module(name) > File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module > __import__(name) > File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in > > from ipalib import pkcs10 > File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in > class _PrincipalName(univ.Sequence): > File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in > _PrincipalName > namedtype.NamedType('name-string', > univ.SequenceOf(char.GeneralString()).subtype( > TypeError: __init__() takes exactly 1 argument (2 given) > > On 2017-08-01 07:07, g...@greg-gilbert.com wrote: > > Hey, > > I checked the logs and found this: > > conn=3295 op=3 SRCH > base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2 > filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" > attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary > ipaKeyTrust ipaCertIssuerSerial" > conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0 > > So that looks like it's finding an entry, I guess. > > All of the lines have err=0 except these: > > conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress > conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI > conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress > conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI > > The server is running FreeIPA 4.4: > > $ ipa --version > VERSION: 4.4.0, API_VERSION: 2.213 > $ ipa-client-install --version > 4.4.0 > > - greg > > On 2017-08-01 05:13, Florence Blanc-Renaud wrote: > On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on > this one. > > I have a bunch of old server images (from 2 months ago) that can run > ipa-client-install just fine. When I created a new image, though, I get this > error (from the install logs): > > DEBUG flushing ldap://ipa.services.example:389 from SchemaCache > DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 > conn= > DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a > certificate. > DEBUG 'ipa.services.example' doesn't have a certificate. > ERROR In unattended mode without a One Time Password (OTP) or without > --ca-cert-file > You must specify --force to retrieve the CA cert using HTTP > ERROR Cannot obtain CA certificate > HTTP certificate download requires --force > ERROR Installation failed. Rolling back changes. > ERROR IPA client is not configured on this system. > > For comparison, the old images work as expected: > > DEBUG flushing ldap://ipa.services.example:389 from SchemaCache > DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 > conn= > INFO Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=IPA.SERVICES.example > Issuer: CN=Certificate Authority,O=IPA.SERVICES.example > Valid From: Wed Apr 05 21:11:13 2017 UTC > Valid Until: Sun Apr 05 21:11:13 2037 UTC > > It's literally the same build script, so nothing there has changed. The old > images still work even now, so I don't think it's a DNS issue. I tried > running update-ca-certificates, but that did nothing. I tried restarting the > FreeIPA server, nothing changed. > > If I try --forceing the install, this happens: > > Enrolled in IPA realm IPA.SERVICES.EXAMPLE > Created /etc/ipa/default.conf > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 3099, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 3080, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install",
[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
Slight update: I tried precreating /etc/ipa/ca.crt, and when running the install, I get the same Python error I did before: File "/usr/sbin/ipa-client-install", line 3099, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given) On 2017-08-01 07:07, g...@greg-gilbert.com wrote: > Hey, > > I checked the logs and found this: > > conn=3295 op=3 SRCH > base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2 > filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" > attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary > ipaKeyTrust ipaCertIssuerSerial" > conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0 > > So that looks like it's finding an entry, I guess. > > All of the lines have err=0 except these: > > conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress > conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI > conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress > conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI > > The server is running FreeIPA 4.4: > > $ ipa --version > VERSION: 4.4.0, API_VERSION: 2.213 > $ ipa-client-install --version > 4.4.0 > > - greg > > On 2017-08-01 05:13, Florence Blanc-Renaud wrote: > On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on > this one. > > I have a bunch of old server images (from 2 months ago) that can run > ipa-client-install just fine. When I created a new image, though, I get this > error (from the install logs): > > DEBUG flushing ldap://ipa.services.example:389 from SchemaCache > DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 > conn= > DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a > certificate. > DEBUG 'ipa.services.example' doesn't have a certificate. > ERROR In unattended mode without a One Time Password (OTP) or without > --ca-cert-file > You must specify --force to retrieve the CA cert using HTTP > ERROR Cannot obtain CA certificate > HTTP certificate download requires --force > ERROR Installation failed. Rolling back changes. > ERROR IPA client is not configured on this system. > > For comparison, the old images work as expected: > > DEBUG flushing ldap://ipa.services.example:389 from SchemaCache > DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 > conn= > INFO Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=IPA.SERVICES.example > Issuer: CN=Certificate Authority,O=IPA.SERVICES.example > Valid From: Wed Apr 05 21:11:13 2017 UTC > Valid Until: Sun Apr 05 21:11:13 2037 UTC > > It's literally the same build script, so nothing there has changed. The old > images still work even now, so I don't think it's a DNS issue. I tried > running update-ca-certificates, but that did nothing. I tried restarting the > FreeIPA server, nothing changed. > > If I try --forceing the install, this happens: > > Enrolled in IPA realm IPA.SERVICES.EXAMPLE > Created /etc/ipa/default.conf > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 3099, in > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 3080, in main > rval = install(options, env, fstore, statestore) > File "/usr/sbin/ipa-client-install", line 2727, in install > api.finalize() > File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in > finalize > self.__do_if_not_done('load_plugins') > File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in > __do_if_not_done > getattr(self, name)() > File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in > load_plugins > self.import_plugins(module) > File
[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
Hey, I checked the logs and found this: conn=3295 op=3 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0 So that looks like it's finding an entry, I guess. All of the lines have err=0 except these: conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI The server is running FreeIPA 4.4: $ ipa --version VERSION: 4.4.0, API_VERSION: 2.213 $ ipa-client-install --version 4.4.0 - greg On 2017-08-01 05:13, Florence Blanc-Renaud wrote: > On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: > >> I'm really at a loss on this one. >> >> I have a bunch of old server images (from 2 months ago) that can run >> ipa-client-install just fine. When I created a new image, though, I get this >> error (from the install logs): >> >> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache >> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 >> conn= >> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a >> certificate. >> DEBUG 'ipa.services.example' doesn't have a certificate. >> ERROR In unattended mode without a One Time Password (OTP) or without >> --ca-cert-file >> You must specify --force to retrieve the CA cert using HTTP >> ERROR Cannot obtain CA certificate >> HTTP certificate download requires --force >> ERROR Installation failed. Rolling back changes. >> ERROR IPA client is not configured on this system. >> >> For comparison, the old images work as expected: >> >> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache >> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 >> conn= >> INFO Successfully retrieved CA cert >> Subject: CN=Certificate Authority,O=IPA.SERVICES.example >> Issuer: CN=Certificate Authority,O=IPA.SERVICES.example >> Valid From: Wed Apr 05 21:11:13 2017 UTC >> Valid Until: Sun Apr 05 21:11:13 2037 UTC >> >> It's literally the same build script, so nothing there has changed. The old >> images still work even now, so I don't think it's a DNS issue. I tried >> running update-ca-certificates, but that did nothing. I tried restarting the >> FreeIPA server, nothing changed. >> >> If I try --forceing the install, this happens: >> >> Enrolled in IPA realm IPA.SERVICES.EXAMPLE >> Created /etc/ipa/default.conf >> Traceback (most recent call last): >> File "/usr/sbin/ipa-client-install", line 3099, in >> sys.exit(main()) >> File "/usr/sbin/ipa-client-install", line 3080, in main >> rval = install(options, env, fstore, statestore) >> File "/usr/sbin/ipa-client-install", line 2727, in install >> api.finalize() >> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in >> finalize >> self.__do_if_not_done('load_plugins') >> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in >> __do_if_not_done >> getattr(self, name)() >> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in >> load_plugins >> self.import_plugins(module) >> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in >> import_plugins >> module = importlib.import_module(name) >> File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module >> __import__(name) >> File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in >> >> from ipalib import pkcs10 >> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in >> >> class _PrincipalName(univ.Sequence): >> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in >> _PrincipalName >> namedtype.NamedType('name-string', >> univ.SequenceOf(char.GeneralString()).subtype( >> TypeError: __init__() takes exactly 1 argument (2 given) >> >> Really not sure what's going on here; does anyone have advice on how to fix >> this? Thanks! >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Hi, > > during client installation, the installer tries to retrieve the CA > certificate: > - either from the provider --ca-cert-file > - or from an existing /etc/ipa/ca.crt > - or (when principal and password are supplied) via ldap > - or (when the above failed) via http only if --force is supplied > > The ldap method looks for a certificate in > cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN. > > You can check if the CA certificate can be found by the installer. Do you see > matching logs in the directory
[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on this one. I have a bunch of old server images (from 2 months ago) that can run ipa-client-install just fine. When I created a new image, though, I get this error (from the install logs): DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn= DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a certificate. DEBUG 'ipa.services.example' doesn't have a certificate. ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file You must specify --force to retrieve the CA cert using HTTP ERROR Cannot obtain CA certificate HTTP certificate download requires --force ERROR Installation failed. Rolling back changes. ERROR IPA client is not configured on this system. For comparison, the old images work as expected: DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn= INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SERVICES.example Issuer: CN=Certificate Authority,O=IPA.SERVICES.example Valid From: Wed Apr 05 21:11:13 2017 UTC Valid Until: Sun Apr 05 21:11:13 2037 UTC It's literally the same build script, so nothing there has changed. The old images still work even now, so I don't think it's a DNS issue. I tried running update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server, nothing changed. If I try --forceing the install, this happens: Enrolled in IPA realm IPA.SERVICES.EXAMPLE Created /etc/ipa/default.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 3099, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given) Really not sure what's going on here; does anyone have advice on how to fix this? Thanks! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Hi, during client installation, the installer tries to retrieve the CA certificate: - either from the provider --ca-cert-file - or from an existing /etc/ipa/ca.crt - or (when principal and password are supplied) via ldap - or (when the above failed) via http only if --force is supplied The ldap method looks for a certificate in cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN. You can check if the CA certificate can be found by the installer. Do you see matching logs in the directory server access log (/var/log/dirsrv/slapd-xx/access), like the following: [27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" [27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101 nentries=1 etime=1 If yes, check the return code (err=x) and the number of found entries (nentries=x). When you run the installer with --force, the tool manages to retrieve the cert using http but fails later. Which version of IPA are you using? Flo. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org