[Freeipa-users] FreeIPA 4.0.0 "Peer's certificate issuer has been marked as not trusted by the user."

Wed Jul 16 20:22:36 UTC 2014

> On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote:
> > DNS A, SRV, and TXT
> >entries are in place. Reverse DNS works.

My text DNS entry is possibly hosed, as it's in lowercase. I put in a request to capitalize it.

[root at ipa yum.repos.d]# host -t TXT _kerberos.usfs-i2.umt.edu
_kerberos.usfs-i2.umt.edu descriptive text "usfs-i2.umt.edu."

> Check /var/log/ipaclient-install.log first, as your IPA client install did not finish,
> thus certificates store wasn't created properly and does not contain IPA CA
> certificate yet.

For someone on vacation you sure spend a lot of time geeking out. :)

 From the below, I think my next thing to try is to wipe the machine and ipa-server-install --realm=USFS-I2.UMT.EDU to override DNS until it gets fixed. Would you concur? Thanks for pointing me at the logfile.

2014-07-16T19:28:16Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2014-07-16T19:28:16Z DEBUG [IPA Discovery]
2014-07-16T19:28:16Z DEBUG Starting IPA discovery with domain=usfs-i2.umt.edu, servers=['ipa.usfs-i2.umt.edu'], hostname=ipa.usfs-i2.umt.edu
2014-07-16T19:28:16Z DEBUG Server and domain forced
2014-07-16T19:28:16Z DEBUG [Kerberos realm search]
2014-07-16T19:28:16Z DEBUG Search DNS for TXT record of _kerberos.usfs-i2.umt.edu
2014-07-16T19:28:16Z DEBUG DNS record found: "usfs-i2.umt.edu."
2014-07-16T19:28:16Z DEBUG Search DNS for SRV record of _kerberos._udp.usfs-i2.umt.edu.
2014-07-16T19:28:16Z DEBUG DNS record found: 0 100 88 ipa.usfs-i2.umt.edu.
2014-07-16T19:28:16Z DEBUG [LDAP server check]
2014-07-16T19:28:16Z DEBUG Verifying that ipa.usfs-i2.umt.edu (realm usfs-i2.umt.edu.) is an IPA server
2014-07-16T19:28:16Z DEBUG Init LDAP connection to: ipa.usfs-i2.umt.edu
2014-07-16T19:28:16Z DEBUG Search LDAP server for IPA base DN
2014-07-16T19:28:16Z DEBUG Check if naming context 'dc=usfs-i2,dc=umt,dc=edu' is for IPA
2014-07-16T19:28:16Z DEBUG Naming context 'dc=usfs-i2,dc=umt,dc=edu' is a valid IPA context
2014-07-16T19:28:16Z DEBUG Search for (objectClass=krbRealmContainer) in dc=usfs-i2,dc=umt,dc=edu (sub)
2014-07-16T19:28:16Z DEBUG Found: cn=USFS-I2.UMT.EDU,cn=kerberos,dc=usfs-i2,dc=umt,dc=edu
2014-07-16T19:28:16Z WARNING Skip ipa.usfs-i2.umt.edu: cannot verify if this is an IPA server
2014-07-16T19:28:16Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, domain=usfs-i2.umt.edu, kdc=ipa.usfs-i2.umt.edu, basedn=dc=usfs-i2,dc=umt,dc=edu
2014-07-16T19:28:16Z DEBUG Validated servers:
2014-07-16T19:28:16Z ERROR Failed to verify that ipa.usfs-i2.umt.edu is an IPA Server.

This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.