[Freeipa-devel] joining rhel5 ipa clients to rhel 7 server failing caused by time offset.
Rob Crittenden
rcritten at redhat.com
Wed Jun 4 21:07:36 UTC 2014
Michael Gregg wrote:
>
> I was trying to join my rhel 5 client to a rhel 7 domain, and getting
> the following error:
>
> [root at oracle ~]# ipa-client-install -p admin -w <pw> -U
> root : ERROR LDAP Error: Connect error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> root : ERROR LDAP Error: Connect error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Unable to find IPA Server to join
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> Tried to verify the cert with this:
>
> openssl s_client -host iota.testrelm.test -port 443 -CAfile /etc/ipa/ca.crt
>
> This came up with this error code:
>
> Verify return code: 9 (certificate is not yet valid)
>
> After syncing the clock, everything worked al-right. I tried googling
> around a bit, but I couldn't find any specific articles about this problem.
>
> Does this sound like a troubleshooting and repair step that is
> documented somewhere already?
I don't recall any documentation on this. The time should be
synchronized before that happens. Can you send me the full
ipaclient-install.log?
rob
More information about the Freeipa-devel
mailing list