[Freeipa-users] can't register new clients

Megan . nagemnna at gmail.com
Fri Dec 5 20:46:32 UTC 2014 

Good Day!

I am getting an error when i register new clients.

libcurl failed to execute the HTTP POST transaction.  SSL connect error

I can't find anything useful not the internet about the error.  Can
someone help me troubleshoot?

CentOS 6.6  x64
ipa-client-3.0.0-42.el6.centos.x86_64
ipa-server-3.0.0-42.el6.centos.x86_64
curl-7.19.7-40.el6_6.1.x86_64


I checked the 443 connection to the ipa server and it is open to the client.


[root at data2-uat ipa]# ipa-client-install --domain=somewhere.com
--server=dir1.somewhere.com  --no-ntp  --realm=somewhere.com -d
/usr/sbin/ipa-client-install was invoked with options: {'domain':
'somewhere.com', 'force': False, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': False, 'create_sshfp': True,
'conf_sshd': True, 'conf_ntp': False, 'on_master': False,
'ntp_server': None, 'server': ['dir1.somewhere.com'], 'no_nisdomain':
False, 'principal': None, 'hostname': None, 'no_ac': False,
'unattended': None, 'sssd': True, 'trust_sshfp': False, 'realm_name':
'somewhere.com', 'dns_updates': False, 'conf_sudo': True, 'conf_ssh':
True, 'force_join': False, 'ca_cert_file': None, 'nisdomain': None,
'prompt_password': False, 'permit': False, 'debug': True,
'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=somewhere.com,
servers=['dir1.somewhere.com'], hostname=data2-uat.somewhere.com
Server and domain forced
[Kerberos realm search]
Search DNS for TXT record of _kerberos.somewhere.com.
No DNS record found
[LDAP server check]
Verifying that dir1.somewhere.com (realm None) is an IPA server
Init LDAP connection with: ldap://dir1.somewhere.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=proj,dc=somewhere,dc=com' is for IPA
Naming context 'dc=proj,dc=somewhere,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=proj,dc=somewhere,dc=com (sub)
Found: cn=somewhere.com,cn=kerberos,dc=proj,dc=somewhere,dc=com
Discovery result: Success; server=dir1.somewhere.com,
domain=somewhere.com, kdc=None, basedn=dc=proj,dc=somewhere,dc=com
Validated servers: dir1.somewhere.com
will use discovered domain: somewhere.com
Using servers from command line, disabling DNS discovery
will use provided server: dir1.somewhere.com
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to
always access the discovered server for all operations and will not
fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
will use discovered realm: somewhere.com
will use discovered basedn: dc=proj,dc=somewhere,dc=com
Hostname: data2-uat.somewhere.com
Hostname source: Machine's FQDN
Realm: somewhere.com
Realm source: Discovered from LDAP DNS records in dir1.somewhere.com
DNS Domain: somewhere.com
DNS Domain source: Forced
IPA Server: dir1.somewhere.com
IPA Server source: Provided as option
BaseDN: dc=proj,dc=somewhere,dc=com
BaseDN source: From IPA server ldap://dir1.somewhere.com:389

Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r somewhere.com
stdout=
stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

User authorized to enroll computers: mkispert
will use principal provided as option: mkispert
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.somewhere.com.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v dir1.somewhere.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v dir1.somewhere.com
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v dir1.somewhere.com
stdout=
stderr=
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
Writing Kerberos configuration to /tmp/tmphDx3Aq:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = somewhere.com
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  somewhere.com = {
    kdc = dir1.somewhere.com:88
    master_kdc = dir1.somewhere.com:88
    admin_server = dir1.somewhere.com:749
    default_domain = somewhere.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .somewhere.com = somewhere.com
  somewhere.com = somewhere.com

Password for mkispert at somewhere.com:
args=kinit mkispert at somewhere.com
stdout=Password for mkispert at somewhere.com:
Warning: Your password will expire in 2 days on Mon Dec  8 11:48:37 2014

stderr=
trying to retrieve CA cert via LDAP from ldap://dir1.somewhere.com
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=somewhere.com
    Issuer:      CN=Certificate Authority,O=somewhere.com
    Valid From:  Thu Aug 07 17:55:15 2014 UTC
    Valid Until: Mon Aug 07 17:55:15 2034 UTC

args=/usr/sbin/ipa-join -s dir1.somewhere.com -b dc=proj,dc=somewhere,dc=com -d
stdout=
stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>data2-uat.somewhere.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-504.1.3.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

* About to connect() to dir1.somewhere.com port 443 (#0)
*   Trying x.x.27.170... * Connected to dir1.somewhere.com
(x.x.27.170) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* NSS error -8054
* Closing connection #0
libcurl failed to execute the HTTP POST transaction.  SSL connect error

Joining realm failed: XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>data2-uat.somewhere.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-504.1.3.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

* About to connect() to dir1.somewhere.com port 443 (#0)
*   Trying x.x.27.170... * Connected to dir1.somewhere.com
(x.x.27.170) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* NSS error -8054
* Closing connection #0
libcurl failed to execute the HTTP POST transaction.  SSL connect error

Installation failed. Rolling back changes.
IPA client is not configured on this system.
[root at data2-uat ipa]#

More information about the Freeipa-users mailing list