[Freeipa-users] FreeIPA 4.0.0 "Peer's certificate issuer has been marked as not trusted by the user."

Wed Jul 16 20:43:48 UTC 2014

On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote:
>
>
>> On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote:
>> > DNS A, SRV, and TXT
>> >entries are in place. Reverse DNS works.
>
>My text DNS entry is possibly hosed, as it's in lowercase. I put in a request to capitalize it.
>
>[root at ipa yum.repos.d]# host -t TXT _kerberos.usfs-i2.umt.edu
>_kerberos.usfs-i2.umt.edu descriptive text "usfs-i2.umt.edu."
>
>
>> Check /var/log/ipaclient-install.log first, as your IPA client install did not finish,
>> thus certificates store wasn't created properly and does not contain IPA CA
>> certificate yet.
>
>For someone on vacation you sure spend a lot of time geeking out. :)
>
> From the below, I think my next thing to try is to wipe the machine
> and ipa-server-install --realm=USFS-I2.UMT.EDU to override DNS until
> it gets fixed. Would you concur? Thanks for pointing me at the
> logfile.
>
>2014-07-16T19:28:16Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
>2014-07-16T19:28:16Z DEBUG [IPA Discovery]
>2014-07-16T19:28:16Z DEBUG Starting IPA discovery with domain=usfs-i2.umt.edu, servers=['ipa.usfs-i2.umt.edu'], hostname=ipa.usfs-i2.umt.edu
>2014-07-16T19:28:16Z DEBUG Server and domain forced
>2014-07-16T19:28:16Z DEBUG [Kerberos realm search]
>2014-07-16T19:28:16Z DEBUG Search DNS for TXT record of _kerberos.usfs-i2.umt.edu
>2014-07-16T19:28:16Z DEBUG DNS record found: "usfs-i2.umt.edu."
>2014-07-16T19:28:16Z DEBUG Search DNS for SRV record of _kerberos._udp.usfs-i2.umt.edu.
>2014-07-16T19:28:16Z DEBUG DNS record found: 0 100 88 ipa.usfs-i2.umt.edu.
>2014-07-16T19:28:16Z DEBUG [LDAP server check]
>2014-07-16T19:28:16Z DEBUG Verifying that ipa.usfs-i2.umt.edu (realm usfs-i2.umt.edu.) is an IPA server
>2014-07-16T19:28:16Z DEBUG Init LDAP connection to: ipa.usfs-i2.umt.edu
>2014-07-16T19:28:16Z DEBUG Search LDAP server for IPA base DN
>2014-07-16T19:28:16Z DEBUG Check if naming context 'dc=usfs-i2,dc=umt,dc=edu' is for IPA
>2014-07-16T19:28:16Z DEBUG Naming context 'dc=usfs-i2,dc=umt,dc=edu' is a valid IPA context
>2014-07-16T19:28:16Z DEBUG Search for (objectClass=krbRealmContainer) in dc=usfs-i2,dc=umt,dc=edu (sub)
>2014-07-16T19:28:16Z DEBUG Found: cn=USFS-I2.UMT.EDU,cn=kerberos,dc=usfs-i2,dc=umt,dc=edu
>2014-07-16T19:28:16Z WARNING Skip ipa.usfs-i2.umt.edu: cannot verify if this is an IPA server
>2014-07-16T19:28:16Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, domain=usfs-i2.umt.edu, kdc=ipa.usfs-i2.umt.edu, basedn=dc=usfs-i2,dc=umt,dc=edu
>2014-07-16T19:28:16Z DEBUG Validated servers:
>2014-07-16T19:28:16Z ERROR Failed to verify that ipa.usfs-i2.umt.edu is an IPA Server.
This is definitely TXT record of _kerberos.usfs-i2.umt.edu issue because
when we fetch the realm value (as cn=USFS-I2.UMT.EDU), we compare the
strings "USFS-I2.UMT.EDU" and "usfs-i2.umt.edu" (of TXT record
_kerberos.usfs-i2.umt.edu) to be exact match, i.e. including case.

After all, it is Kerberos realm name, which must be upper-cased.
As a work-around, use --realm option to force the right casing of the
realm.

-- 
/ Alexander Bokovoy