[Freeipa-users] Joining realm failed with "SSL certificate problem: self signed certificate in certificate chain"
Rob Crittenden
rcritten at redhat.com
Fri Jan 29 15:12:06 UTC 2016
Harald Dunkel wrote:
> Hi folks,
>
> Problem: ipa-client-install fails with
>
> # rm -f /etc/ipa/ca.crt
> # ipa-client-install
> Discovery was successful!
> Hostname: srvl023.ac.example.com
> Realm: EXAMPLE.COM
> DNS Domain: example.com
> IPA Server: ipa1.example.com
> BaseDN: dc=example,dc=com
>
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
> User authorized to enroll computers: admin
> Password for admin at EXAMPLE.COM:
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=example AG,C=COM
> Issuer: CN=example Root CA,OU=example Certificate Authority,O=example AG,C=COM
> Valid From: Mon Dec 28 10:35:30 2015 UTC
> Valid Until: Mon Dec 31 23:59:59 2035 UTC
>
> Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: self signed certificate in certificate chain
>
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
>
> ???
> Is this the chain sent from the ipa server to the new host?
>
> Every helpful idea would be highly appreciated.
>
What version of server and client?
I gather you have installed with an external CA? How many certs are in
/etc/ipa/ca.crt?
rob
More information about the Freeipa-users
mailing list