[Freeipa-devel] joining rhel5 ipa clients to rhel 7 server failing caused by time offset.
Michael Gregg
mgregg at redhat.com
Wed Jun 4 21:19:46 UTC 2014
On 06/04/2014 02:07 PM, Rob Crittenden wrote:
> Michael Gregg wrote:
>> I was trying to join my rhel 5 client to a rhel 7 domain, and getting
>> the following error:
>>
>> [root at oracle ~]# ipa-client-install -p admin -w <pw> -U
>> root : ERROR LDAP Error: Connect error: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>> root : ERROR LDAP Error: Connect error: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>> Unable to find IPA Server to join
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>> Tried to verify the cert with this:
>>
>> openssl s_client -host iota.testrelm.test -port 443 -CAfile /etc/ipa/ca.crt
>>
>> This came up with this error code:
>>
>> Verify return code: 9 (certificate is not yet valid)
>>
>> After syncing the clock, everything worked al-right. I tried googling
>> around a bit, but I couldn't find any specific articles about this problem.
>>
>> Does this sound like a troubleshooting and repair step that is
>> documented somewhere already?
> I don't recall any documentation on this. The time should be
> synchronized before that happens. Can you send me the full
> ipaclient-install.log?
>
> rob
Sure thing. The log is not very long. It is attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-client-install.log
Type: text/x-log
Size: 2245 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140604/de12e392/attachment.bin>
More information about the Freeipa-devel
mailing list