Re: [Freeipa-users] Joining realm failed with "SSL certificate problem: self signed certificate in certificate chain"
Found it. The error message on the ipa server (in /var/log/httpd/error_log) was less misleading: SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate After installing the ca-certificates package and adding the root certificate to it the problem was gone. Thanx to everybody Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Joining realm failed with "SSL certificate problem: self signed certificate in certificate chain"
Hi Rob, On 01/29/2016 04:12 PM, Rob Crittenden wrote: > > What version of server and client? > Server is freeipa 4.2 (Centos 7.2) Client is freeipa 4.0.5 (Debian 8) Sorry, I should have mentioned this in my first post. I am running >200 clients in this environment, appr. 40% are Debian Hosts with this freeipa version. One host cannot be joined :-(. > I gather you have installed with an external CA? How many certs are in > /etc/ipa/ca.crt? > Yes, its an external CA. There is one cert in ca.cert: It is the certificate of the ipa CA, signed by the expected external root CA. I see the same on the other hosts, but of course I checked only a few (4). Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Joining realm failed with "SSL certificate problem: self signed certificate in certificate chain"
Harald Dunkel wrote: > Hi folks, > > Problem: ipa-client-install fails with > > # rm -f /etc/ipa/ca.crt > # ipa-client-install > Discovery was successful! > Hostname: srvl023.ac.example.com > Realm: EXAMPLE.COM > DNS Domain: example.com > IPA Server: ipa1.example.com > BaseDN: dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. Please > check that 123 UDP port is opened. > User authorized to enroll computers: admin > Password for ad...@example.com: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=example AG,C=COM > Issuer: CN=example Root CA,OU=example Certificate > Authority,O=example AG,C=COM > Valid From: Mon Dec 28 10:35:30 2015 UTC > Valid Until: Mon Dec 31 23:59:59 2035 UTC > > Joining realm failed: libcurl failed to execute the HTTP POST transaction, > explaining: SSL certificate problem: self signed certificate in certificate > chain > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > ??? > Is this the chain sent from the ipa server to the new host? > > Every helpful idea would be highly appreciated. > What version of server and client? I gather you have installed with an external CA? How many certs are in /etc/ipa/ca.crt? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project