[Freeipa-users] Crazy Cert problem?
Rob Crittenden
rcritten at redhat.com
Wed Jun 17 13:14:16 UTC 2015
Janelle wrote:
> Hi,
>
> Had a server - named ipa001.example.com -- it was a replica. It died. It
> was re-installed. However, prior to the re-install it was saying the
> wonderful:
>
> TLS error -8172:Peer's certificate issuer has been marked as not trusted
> by the user.
>
> It was rebuilt - new OS and doing a brand new ipa-server-install (NOT a
> replica or trying to join it back in to the existing ring of servers)
> and at the end of the ipa-server-install - it gives:
>
> Done.
> Restarting the directory server
> Restarting the KDC
> Restarting the certificate server
> Restarting the web server
> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h'
> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y'
> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs'
> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero
> exit status 1
> Configuration of client side components failed!
> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
> '--on-master' '--unattended' '--domain' 'example.com' '--server'
> 'ipa001.example.com' '--realm' 'example.com' '--hostname'
> 'ipa001.example.com'' returned non-zero exit status 1
>
> and checking /var/log/ipaclient-install.log - the exact same TLS error????
>
> But this is a brand new system, with brand new OS and the install was
> ipa-server-install to install a clean server.
>
> I don't understand how this is happening. There is no "peer" to be not
> trusted?
What version of IPA and distro? (I don't think that probably has
anything to do with it, just curious in case it does eventually matter).
What does /etc/openldap/ldap.conf look like? Normally it should have
TLS_CACERT /etc/ipa/ca.crt
Any chance you can share the server and client install logs?
rob
More information about the Freeipa-users
mailing list