On Thu, 2015-07-09 at 19:14 +0000, John Williams wrote: > I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's > failing. Here is somebackground information. We lost (RIP) our main IPA > server ipa.mydomain.com a while ago, but we were able to fail over to a > replica called ipa2. Since then we've built a redundant ipa3.mydomain.com > replica. Since then all the systems that were there previously work fine. > But adding new IPA hosts fail. > The main error below (I believe) is: > Joining realm failed: libcurl failed to execute the HTTP POST transaction, > explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match > target host name 'ipa.mydomain.com' > Any idea how to fix?
You probably added a cname pointing ipa -> ipa2, that won't work, drop the cname or force the client to use the ipa2 with the --server option. Simo. > Thanks in advance! > > root@myhost:~# ipa-client-install -N --hostname myhost.mydomain.com > --mkhomedirDNS domain 'COM' is not configured for automatic KDC address > lookup.KDC address will be set to fixed value.Discovery was > successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA > Server: ipa.mydomain.comBaseDN: dc=COM > Continue to configure the system with these values? [no]: yesUser authorized > to enroll computers: adminSynchronizing time with KDC...Unable to sync time > with IPA NTP server, assuming the time is in sync. Please check that 123 UDP > port is opened.Password for admin@COM: Unable to download CA cert from > LDAP.Do you want to download the CA cert from > http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: > yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully > retrieved CA cert Subject: CN=Certificate Authority,O=COM Issuer: > CN=Certificate Authority,O=COM Valid From: Thu Apr 04 23:20:27 2013 > UTC Valid Until: Mon Apr 04 23:20:27 2033 UTC > Joining realm failed: libcurl failed to execute the HTTP POST transaction, > explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match > target host name 'ipa.mydomain.com' > Installation failed. Rolling back changes.certmonger failed to start: Command > '/usr/sbin/service certmonger start ' returned non-zero exit status > 1certmonger failed to stop: [Errno 2] No such file or directory: > '/var/run/ipa/services.list'Disabling client Kerberos and LDAP > configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved > to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring > client configuration filesnscd daemon is not installed, skip > configurationnslcd daemon is not installed, skip > configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such > file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf > manually, as it can cause subsequent installation to fail.Client uninstall > complete. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project