[Freeipa-users] Cannot obtain CA Certificate

Peter Brown rendhalver at gmail.com
Tue Feb 19 00:24:48 UTC 2013 

Hi John,

I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
It turned out to be that port 80 wasn't open on the freeipa server.
I would check your ports and see if the right ones are open.
I also find that setting up the SRV and TXT records in your dns zone makes
setting up clients a lot simpler.



On 19 February 2013 00:58, John Moyer <john.moyer at digitalreasoning.com>wrote:

> Hello all,
>
> I am having an issue using IPA 2.2.0.   I am trying to put together a
> proof of concept set of systems.  I've stood up 2 servers on AWS.   One is
> the server one is the client.   I am using CentOS 6 to do all this testing
> on, with the default IPA packages provided from CentOS.   I had a fully
> operational proof of concept finished fully scripted to be built without
> issues.   I shutdown and started these as needed to show to people to get
> approval for the project.   The other day the client stopped enrolling to
> the IPA server, I have no idea why I assume a patch pushed out broke
> something since it is a fully scripted install. It does get the most recent
> patches each time I stand it up so it definitely would pull any new patches
> that came out.
>
> After investigating I am getting this error when I try to manually enroll
> the client.  I haven't been able to find any reference to this error
> anywhere on the net.  Any help would be greatly appreciated!  Let me know
> if any additional details are needed.
>
>
> PLEASE NOTE:  Everything below has been sanitized
>
>
> [root at client ~]# ipa-client-install --domain=example.com --server=
> ipa1.example.com --realm=EXAMPLE.COM --configure-ssh --configure-sshd -p
> ipa-bind -w "blah" -U
> DNS domain 'example.com' is not configured for automatic KDC address
> lookup.
> KDC address will be set to fixed value.
>
> Discovery was successful!
> Hostname: client.ec2.internal
> Realm: EXAMPLE.COM
> DNS Domain: digitalreasoning.com
> IPA Server: ipa1.example.com
> BaseDN: dc=example,dc=com
>
>
> Synchronizing time with KDC...
>
> ipa         : ERROR    Cannot obtain CA certificate
> 'ldap://ipa1.example.com' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> Thanks,
> _____________________________________________________
> John Moyer
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130219/09fce539/attachment.htm>

More information about the Freeipa-users mailing list