[Freeipa-users] Cannot obtain CA Certificate

Steven Jones Steven.Jones at vuw.ac.nz
Tue Feb 19 02:52:12 UTC 2013 

whats AWS?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 19 February 2013 3:35 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Cannot obtain CA Certificate

On 02/18/2013 09:06 PM, John Moyer wrote:
Peter,

The client is pointing to DNS for the server.   Here is the log info from the ipa-client-log (in /var/log/).  I haven't tried the other stuff yet, I'll respond back when I get a chance to check out the CA cert things.


2013-02-19T02:01:37Z DEBUG args=kinit ipa-bind at EXAMPLE.COM<mailto:ipa-bind at EXAMPLE.COM>
2013-02-19T02:01:37Z DEBUG stdout=Password for ipa-bind at EXAMPLE.COM<mailto:ipa-bind at EXAMPLE.COM>:

2013-02-19T02:01:37Z DEBUG stderr=
2013-02-19T02:01:37Z DEBUG trying to retrieve CA cert via LDAP from ldap://ipa1.example.com<UrlBlockedError.aspx>
2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/COM at EXAMPLE.COM<mailto:krbtgt/COM at EXAMPLE.COM> not found in Kerberos database)
2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/COM at EXAMPLE.COM<mailto:krbtgt/COM at EXAMPLE.COM> not found in Kerberos database)', 'desc': 'Local error'}
2013-02-19T02:01:37Z ERROR Cannot obtain CA certificate
'ldap://ipa1.example.com'<UrlBlockedError.aspx> doesn't have a certificate.
2013-02-19T02:01:37Z DEBUG args=kdestroy
2013-02-19T02:01:37Z DEBUG stdout=
2013-02-19T02:01:37Z DEBUG stderr=


Can the server resolve the client in the same way as client resolves itself?
In AWS it might be an issue because it changes system names dynamically and thus you client host when restarted might have a different name or be not resolvable by the server.
The fact that AWS changes names under you makes IPA not usable in AWS environment.
https://fedorahosted.org/freeipa/ticket/2715



Thanks,
_____________________________________________________
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
John.Moyer at digitalreasoning.com<mailto:john.moyer at digitalreasoning.com>
Office: 703.678.2311
Mobile: 240.460.0023
Fax: 703.678.2312
www.digitalreasoning.com<http://www.digitalreasoning.com/>

On Feb 18, 2013, at 8:42 PM, Peter Brown <rendhalver at gmail.com<mailto:rendhalver at gmail.com>> wrote:

On 19 February 2013 11:03, John Moyer <john.moyer at digitalreasoning.com<mailto:john.moyer at digitalreasoning.com>> wrote:
Peter,

Thanks for the response, I just checked out my security group settings, I did have some ports blocked, however, allowing them did not help.   I installed mmap on the client and did a port scan of the server and got the follow:

PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
389/tcp open  ldap
443/tcp open  https
464/tcp open  kpasswd5
636/tcp open  ldapssl
749/tcp open  kerberos-adm

There is a couple of UDP ports that need to be open as well
464 and 88 from memory.

They shouldn't affect your ability to download the ca cert.

Have you checked the ipa-client log file?
I can't remember where that gets saved right now but it should mention the location when you run the ipa-client command.



I tried to enroll again and got the same error as seen here:


Synchronizing time with KDC...

ipa         : ERROR    Cannot obtain CA certificate



Thanks,
_____________________________________________________
John Moyer


On Feb 18, 2013, at 7:24 PM, Peter Brown <rendhalver at gmail.com<mailto:rendhalver at gmail.com>> wrote:

Hi John,

I ran into a similar issue with setting up a 2.2 client with a 3.1 server.
It turned out to be that port 80 wasn't open on the freeipa server.
I would check your ports and see if the right ones are open.
I also find that setting up the SRV and TXT records in your dns zone makes setting up clients a lot simpler.



On 19 February 2013 00:58, John Moyer <john.moyer at digitalreasoning.com<mailto:john.moyer at digitalreasoning.com>> wrote:
Hello all,

I am having an issue using IPA 2.2.0.   I am trying to put together a proof of concept set of systems.  I've stood up 2 servers on AWS.   One is the server one is the client.   I am using CentOS 6 to do all this testing on, with the default IPA packages provided from CentOS.   I had a fully operational proof of concept finished fully scripted to be built without issues.   I shutdown and started these as needed to show to people to get approval for the project.   The other day the client stopped enrolling to the IPA server, I have no idea why I assume a patch pushed out broke something since it is a fully scripted install. It does get the most recent patches each time I stand it up so it definitely would pull any new patches that came out.

After investigating I am getting this error when I try to manually enroll the client.  I haven't been able to find any reference to this error anywhere on the net.  Any help would be greatly appreciated!  Let me know if any additional details are needed.


PLEASE NOTE:  Everything below has been sanitized


[root at client ~]# ipa-client-install --domain=example.com<http://example.com/> --server=ipa1.example.com<http://ipa1.example.com/> --realm=EXAMPLE.COM<http://example.com/> --configure-ssh --configure-sshd -p ipa-bind -w "blah" -U
DNS domain 'example.com<http://example.com/>' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: client.ec2.internal
Realm: EXAMPLE.COM<http://example.com/>
DNS Domain: digitalreasoning.com<http://digitalreasoning.com/>
IPA Server: ipa1.example.com<http://ipa1.example.com/>
BaseDN: dc=example,dc=com


Synchronizing time with KDC...

ipa         : ERROR    Cannot obtain CA certificate
'ldap://ipa1.example.com' doesn't have a certificate.
Installation failed. Rolling back changes.
IPA client is not configured on this system.


Thanks,
_____________________________________________________
John Moyer



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users







_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130219/5bcc88de/attachment.htm>

More information about the Freeipa-users mailing list