<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="GENERATOR" content="GtkHTML/4.6.5"> </head> <body> On Mon, 2013-07-22 at 17:51 +0000, Armstrong, Kenneth Lawrence wrote: <blockquote type="CITE">On Mon, 2013-07-22 at 13:41 -0400, Rob Crittenden wrote: <blockquote type="CITE"> <pre> Armstrong, Kenneth Lawrence wrote: > Hi all, > > I have a RHEL 6 IdM test domain set up. In production, we have RHEL 5 > and RHEL 4 clients as well, so I was going to test that out. > > However, I can not get a RHEL 5.9 client to join the domain. > > [root@r5-idmclient <<a href="mailto:root@r5-idmclient">mailto:root@r5-idmclient</a>> ~]# ipa-client-install > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu > root : ERROR LDAP Error: Connect error: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server. > This may mean that the remote server is not up or is not reachable > due to network or firewall settings. > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > Digging a little bit and I see that the ipa-client is an older version: > > ipa-client-2.1.3-5.el5_9.2 > > Doing a yum update/upgrade doesn't show a newer version. > > I was considering a manual installation, but the ipa-admintools don't > appear to be available for RHEL 5.9? > > Is there a way to make this work? I'd first try removing /etc/ipa/ca.crt and try the enrollment again. It should be possible to use the 2.1.3 client in EL 5 to enroll against a 3.x server. Otherwise we probably need more context from /var/log/ipaclient-install.log to see how the CA was retrieved. rob </pre> </blockquote> Thanks for the tip. I tried it again, and it still failed. End of the log: [<a href="mailto:root@r5-idmclient">root@r5-idmclient</a> ~]# tail -20 /var/log/ipaclient-install.log lnxrealmtest.liberty.edu = LNXREALMTEST.LIBERTY.EDU 2013-07-22 13:45:36,982 DEBUG args=kinit <a href="mailto:admin@LNXREALMTEST.LIBERTY.EDU"> admin@LNXREALMTEST.LIBERTY.EDU</a> 2013-07-22 13:45:36,983 DEBUG stdout=Password for <a href="mailto:admin@LNXREALMTEST.LIBERTY.EDU"> admin@LNXREALMTEST.LIBERTY.EDU</a>: 2013-07-22 13:45:36,983 DEBUG stderr= 2013-07-22 13:45:36,983 DEBUG trying to retrieve CA cert via LDAP from ldap://lnxrealmtest01.liberty.edu 2013-07-22 13:45:37,181 INFO Successfully retrieved CA cert Subject: /O=LNXREALMTEST.LIBERTY.EDU/CN=Certificate Authority Issuer: /DC=edu/DC=liberty/CN=LUPKI01 2013-07-22 13:45:37,344 DEBUG args=/usr/sbin/ipa-join -s lnxrealmtest01.liberty.edu -b dc=lnxrealmtest,dc=liberty,dc=edu 2013-07-22 13:45:37,345 DEBUG stdout= 2013-07-22 13:45:37,345 DEBUG stderr=libcurl failed to execute the HTTP POST transaction. SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2013-07-22 13:45:37,490 DEBUG args=kdestroy 2013-07-22 13:45:37,491 DEBUG stdout= 2013-07-22 13:45:37,491 DEBUG stderr= <pre> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> I just stood up a brand new RHEL 6 client, and it works just fine, so there is something amiss with RHEL 5 on this. The time on the RHEL 5 client and the RHEL 6 IdM server is the same, and the cert is valid, so I don't know why the RHEL 5 system does not like the cert. Could it be something with the versions of packages installed on it? libipa_hbac-1.5.1-58.el5 ipa-client-2.1.3-5.el5_9.2 curl-7.15.5-17.el5_9 openssl-0.9.8e-26.el5_9.1 </body> </html>