[Freeipa-users] Cannot obtain CA Certificate
Petr Spacek
pspacek at redhat.com
Wed Feb 27 09:42:49 UTC 2013
On 26.2.2013 17:55, John Moyer wrote:
> Sorry for the late response, so I tried this, and it changed the error to the following:
>
> Synchronizing time with KDC...
>
> Joining realm failed: HTTP response code is 401, not 200
> Installation failed. Rolling back changes.
>
>
>
> Looking at debug this is what I see:
>
> < HTTP/1.1 401 Authorization Required
> < Date: Tue, 26 Feb 2013 16:54:21 GMT
> < Server: Apache/2.2.15 (CentOS)
> * gss_init_sec_context() failed: : Server krbtgt/COM at EXAMPLE.COM not found in Kerberos database< WWW-Authenticate: Negotiate
krbtgt/COM at EXAMPLE.COM is definitely not correct. It should look like
"krbtgt/EXAMPLE.COM at EXAMPLE.COM". I would recommend to double check name
resolution.
Are all records in /etc/hosts correct?
Does /etc/resolv.conf point to the IPA server?
Do forward (A) and reverse (PTR) records match for client and also IPA servers?
Does dig -t TXT _kerberos.example.com return correct REALM?
Do all domain and realm names in /etc/krb5.conf point to correct IPA domain?
You can run ipa-client-install with KRB5_TRACE environment variable set. It
could produce some useful output. E.g.:
$ KRB5_TRACE=/tmp/kerberos_trace.log ipa-client-install <.. blah blah..>
This should log actions done by Kerberos libraries to file
/tmp/kerberos_trace.log.
Also, "tcpdump -s 65535 -w /tmp/tcpdump -i any" could provide some clue.
You can send both files to me privately if you don't want to send them to
mailing list.
Petr^2 Spacek
> < Last-Modified: Wed, 23 Jan 2013 22:16:50 GMT
> < ETag: "4627-740-4d3fc0cfd7880"
> < Accept-Ranges: bytes
> < Content-Length: 1856
> < Connection: close
> < Content-Type: text/html; charset=UTF-8
>
>
>
>
> On Feb 19, 2013, at 6:35 AM, Jan-Frode Myklebust <janfrode at tanso.net> wrote:
>
>>> ipa : ERROR Cannot obtain CA certificate
>>> 'ldap://ipa1.example.com' doesn't have a certificate.
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>
>> FYI, I have this same issue when enrolling RHEL5 clients. Have been
>> doing this as a workaround:
>>
>> wget -O /etc/ipa/ca.crt http://ipa1.example.com/ipa/config/ca.crt
>> ipa-client-install --no-ntp --mkhomedir --ca-cert-file=/etc/ipa/ca.crt
>>
>>
>>
>> -jf
More information about the Freeipa-users
mailing list