[Freeipa-users] Crazy Cert problem?

Rob Crittenden rcritten at redhat.com
Wed Jun 17 13:21:47 UTC 2015 

Janelle wrote:
> On 6/17/15 6:14 AM, Rob Crittenden wrote:
>> Janelle wrote:
>>> Hi,
>>>
>>> Had a server - named ipa001.example.com -- it was a replica. It died. It
>>> was re-installed. However, prior to the re-install it was saying the
>>> wonderful:
>>>
>>> TLS error -8172:Peer's certificate issuer has been marked as not trusted
>>> by the user.
>>>
>>> It was rebuilt - new OS and doing a brand new ipa-server-install (NOT a
>>> replica or trying to join it back in to the existing ring of servers)
>>> and at the end of the ipa-server-install - it gives:
>>>
>>> Done.
>>> Restarting the directory server
>>> Restarting the KDC
>>> Restarting the certificate server
>>> Restarting the web server
>>> Unable to set admin password Command ''/usr/bin/ldappasswd' '-h'
>>> 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y'
>>> '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs'
>>> 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero
>>> exit status 1
>>> Configuration of client side components failed!
>>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
>>> '--on-master' '--unattended' '--domain' 'example.com' '--server'
>>> 'ipa001.example.com' '--realm' 'example.com' '--hostname'
>>> 'ipa001.example.com'' returned non-zero exit status 1
>>>
>>> and checking /var/log/ipaclient-install.log - the exact same TLS
>>> error????
>>>
>>> But this is a brand new system, with brand new OS and the install was
>>> ipa-server-install to install a clean server.
>>>
>>> I don't understand how this is happening. There is no "peer" to be not
>>> trusted?
>>
>> What version of IPA and distro? (I don't think that probably has
>> anything to do with it, just curious in case it does eventually matter).
>>
>> What does /etc/openldap/ldap.conf look like? Normally it should have
>> TLS_CACERT /etc/ipa/ca.crt
>>
>> Any chance you can share the server and client install logs?
>>
>> rob
> 4.1.4 = IPA
> CentOS 7.1
>
> Oooh... Found something:  /etc/openldap/ldap.conf:
>
> TLS_CACERTDIR    /etc/openldap/certs
>
> Going to investigate.
> ~J
>

That should be fine assuming there aren't any certs in there (and on a 
brand new system I'd think you'd have empty NSS databases).

rob

More information about the Freeipa-users mailing list