[Freeipa-users] Cannot obtain CA Certificate

Petr Spacek pspacek at redhat.com
Wed Feb 27 09:42:49 UTC 2013 

On 26.2.2013 17:55, John Moyer wrote:
> Sorry for the late response, so I tried this, and it changed the error to the following:
>
> Synchronizing time with KDC...
>
> Joining realm failed: HTTP response code is 401, not 200
> Installation failed. Rolling back changes.
>
>
>
> Looking at debug this is what I see:
>
> < HTTP/1.1 401 Authorization Required
> < Date: Tue, 26 Feb 2013 16:54:21 GMT
> < Server: Apache/2.2.15 (CentOS)
> * gss_init_sec_context() failed: : Server krbtgt/COM at EXAMPLE.COM not found in Kerberos database< WWW-Authenticate: Negotiate

krbtgt/COM at EXAMPLE.COM is definitely not correct. It should look like 
"krbtgt/EXAMPLE.COM at EXAMPLE.COM". I would recommend to double check name 
resolution.

Are all records in /etc/hosts correct?

Does /etc/resolv.conf point to the IPA server?

Do forward (A) and reverse (PTR) records match for client and also IPA servers?

Does dig -t TXT _kerberos.example.com return correct REALM?

Do all domain and realm names in /etc/krb5.conf point to correct IPA domain?

You can run ipa-client-install with KRB5_TRACE environment variable set. It 
could produce some useful output. E.g.:

$ KRB5_TRACE=/tmp/kerberos_trace.log ipa-client-install <.. blah blah..>

This should log actions done by Kerberos libraries to file 
/tmp/kerberos_trace.log.

Also, "tcpdump -s 65535 -w /tmp/tcpdump -i any" could provide some clue.

You can send both files to me privately if you don't want to send them to 
mailing list.

Petr^2 Spacek

> < Last-Modified: Wed, 23 Jan 2013 22:16:50 GMT
> < ETag: "4627-740-4d3fc0cfd7880"
> < Accept-Ranges: bytes
> < Content-Length: 1856
> < Connection: close
> < Content-Type: text/html; charset=UTF-8
>
>
>
>
> On Feb 19, 2013, at 6:35 AM, Jan-Frode Myklebust <janfrode at tanso.net> wrote:
>
>>> ipa         : ERROR    Cannot obtain CA certificate
>>> 'ldap://ipa1.example.com' doesn't have a certificate.
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>
>> FYI, I have this same issue when enrolling RHEL5 clients. Have been
>> doing this as a workaround:
>>
>> 	wget -O /etc/ipa/ca.crt http://ipa1.example.com/ipa/config/ca.crt
>> 	ipa-client-install --no-ntp --mkhomedir --ca-cert-file=/etc/ipa/ca.crt
>>
>>
>>
>>   -jf

More information about the Freeipa-users mailing list