[Freeipa-users] Crazy Cert problem?
Janelle
janellenicole80 at gmail.com
Wed Jun 17 13:19:30 UTC 2015
On 6/17/15 6:14 AM, Rob Crittenden wrote:
> Janelle wrote:
>> Hi,
>>
>> Had a server - named ipa001.example.com -- it was a replica. It died. It
>> was re-installed. However, prior to the re-install it was saying the
>> wonderful:
>>
>> TLS error -8172:Peer's certificate issuer has been marked as not trusted
>> by the user.
>>
>> It was rebuilt - new OS and doing a brand new ipa-server-install (NOT a
>> replica or trying to join it back in to the existing ring of servers)
>> and at the end of the ipa-server-install - it gives:
>>
>> Done.
>> Restarting the directory server
>> Restarting the KDC
>> Restarting the certificate server
>> Restarting the web server
>> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h'
>> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y'
>> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs'
>> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero
>> exit status 1
>> Configuration of client side components failed!
>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
>> '--on-master' '--unattended' '--domain' 'example.com' '--server'
>> 'ipa001.example.com' '--realm' 'example.com' '--hostname'
>> 'ipa001.example.com'' returned non-zero exit status 1
>>
>> and checking /var/log/ipaclient-install.log - the exact same TLS
>> error????
>>
>> But this is a brand new system, with brand new OS and the install was
>> ipa-server-install to install a clean server.
>>
>> I don't understand how this is happening. There is no "peer" to be not
>> trusted?
>
> What version of IPA and distro? (I don't think that probably has
> anything to do with it, just curious in case it does eventually matter).
>
> What does /etc/openldap/ldap.conf look like? Normally it should have
> TLS_CACERT /etc/ipa/ca.crt
>
> Any chance you can share the server and client install logs?
>
> rob
4.1.4 = IPA
CentOS 7.1
Oooh... Found something: /etc/openldap/ldap.conf:
TLS_CACERTDIR /etc/openldap/certs
Going to investigate.
~J
More information about the Freeipa-users
mailing list