[Freeipa-users] FreeIPA 4.0.0 "Peer's certificate issuer has been marked as not trusted by the user."

Wed Jul 16 21:29:33 UTC 2014

> This is definitely TXT record of _kerberos.usfs-i2.umt.edu issue because
> when we fetch the realm value (as cn=USFS-I2.UMT.EDU), we compare the
> strings "USFS-I2.UMT.EDU" and "usfs-i2.umt.edu" (of TXT record
> _kerberos.usfs-i2.umt.edu) to be exact match, i.e. including case.
>
> After all, it is Kerberos realm name, which must be upper-cased.
> As a work-around, use --realm option to force the right casing of the realm.

Fresh reinstall. ipa-server-install --realm USFS-I2.UMT.EDU. No dice. Too late, it occurred to me that ipa-client-install, when run at the end of the server install, already has the realm command line option populated with the correct realm (went back and checked):

Configuration of client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'usfs-i2.umt.edu' '--server' 'ipa.usfs-i2.umt.edu' '--realm' 'USFS-I2.UMT.EDU' '--hostname' 'ipa.usfs-i2.umt.edu'' returned non-zero exit status 1

So the question now is: why is DNS discovery pre-empting the specific parameters provided on the command line? According to the output below, it looks like it understands server and domain are forced, but it does a dns lookup on realm?

2014-07-16T21:20:51Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2014-07-16T21:20:51Z DEBUG [IPA Discovery]
2014-07-16T21:20:51Z DEBUG Starting IPA discovery with domain=usfs-i2.umt.edu, servers=['ipa.usfs-i2.umt.edu'], hostname=ipa.usfs-i2.umt.edu
2014-07-16T21:20:51Z DEBUG Server and domain forced
2014-07-16T21:20:51Z DEBUG [Kerberos realm search]
2014-07-16T21:20:51Z DEBUG Search DNS for TXT record of _kerberos.usfs-i2.umt.edu
2014-07-16T21:20:51Z DEBUG DNS record found: "usfs-i2.umt.edu."
2014-07-16T21:20:51Z DEBUG Search DNS for SRV record of _kerberos._udp.usfs-i2.umt.edu.
2014-07-16T21:20:51Z DEBUG DNS record found: 0 100 88 ipa.usfs-i2.umt.edu.
2014-07-16T21:20:51Z DEBUG [LDAP server check]
2014-07-16T21:20:51Z DEBUG Verifying that ipa.usfs-i2.umt.edu (realm usfs-i2.umt.edu.) is an IPA server
2014-07-16T21:20:51Z DEBUG Init LDAP connection to: ipa.usfs-i2.umt.edu
2014-07-16T21:20:51Z DEBUG Search LDAP server for IPA base DN
2014-07-16T21:20:51Z DEBUG Check if naming context 'dc=usfs-i2,dc=umt,dc=edu' is for IPA
2014-07-16T21:20:51Z DEBUG Naming context 'dc=usfs-i2,dc=umt,dc=edu' is a valid IPA context
2014-07-16T21:20:51Z DEBUG Search for (objectClass=krbRealmContainer) in dc=usfs-i2,dc=umt,dc=edu (sub)
2014-07-16T21:20:51Z DEBUG Found: cn=USFS-I2.UMT.EDU,cn=kerberos,dc=usfs-i2,dc=umt,dc=edu
2014-07-16T21:20:51Z WARNING Skip ipa.usfs-i2.umt.edu: cannot verify if this is an IPA server

This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.