<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="GENERATOR" content="GtkHTML/4.6.5"> </head> <body> On Fri, 2013-07-26 at 10:20 -0400, Rob Crittenden wrote: <blockquote type="CITE"> <pre> Armstrong, Kenneth Lawrence wrote: > On Fri, 2013-07-26 at 06:21 -0400, Eduardo Minguez wrote: > Ok, if I have time, I'll try with a RHEL 5.8 client today. > > > As for debug output, this is what I get: > > [root@r5-idmclient <<a href="mailto:root@r5-idmclient">mailto:root@r5-idmclient</a>> ~]# ipa-client-install > --server lnxrealmtest01.liberty.edu --domain lnxrealmtest.liberty.edu > --enable-dns-updates --no-ntp --ca-cert-file=/etc/ipa/ca.crt -d > root : DEBUG /usr/sbin/ipa-client-install was invoked with > options: {'conf_ntp': False, 'domain': 'lnxrealmtest.liberty.edu', > 'uninstall': False, 'force': False, 'sssd': True, > 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, > 'server': 'lnxrealmtest01.liberty.edu', 'prompt_password': False, > 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, > 'debug': True, 'on_master': False, 'ca_cert_file': '/etc/ipa/ca.crt', > 'realm_name': None, 'unattended': None, 'ntp_server': None, 'principal': > None} > root : DEBUG missing options might be asked for interactively > later > > root : DEBUG Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > root : DEBUG Loading StateFile from > '/var/lib/ipa-client/sysrestore/sysrestore.state' > root : DEBUG [ipadnssearchkrb] > root : DEBUG [ipacheckldap] > root : DEBUG Init ldap with: ldap://lnxrealmtest01.liberty.edu:389 > root : ERROR LDAP Error: Connect error: TLS: hostname does not > match CN in peer certificate > root : DEBUG will use domain: lnxrealmtest.liberty.edu > > root : DEBUG will use server: lnxrealmtest01.liberty.edu > > Failed to verify that lnxrealmtest01.liberty.edu is an IPA Server. > This may mean that the remote server is not up or is not reachable > due to network or firewall settings. > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > I do have an A record and PTR record for both lnxrealmtest01.liberty.edu > and lnxrealmtest.lnxrealmtest.liberty.edu. > > The part that confuses me (I'm still new to the innards of SSL) is this: > > DAP Error: Connect error: TLS: hostname does not match CN in peer > certificate > > When I look at the cert using: > > openssl x509 -in /etc/ipa/ca.crt -noout -text > > I see this: > > Issuer: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority > Validity > Not Before: Jul 25 18:22:53 2013 GMT > Not After : Jul 25 18:22:53 2033 GMT > Subject: O=LNXREALMTEST.LIBERTY.EDU, CN=Certificate Authority > > > and ... > > OCSP - URI:<a href="http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp">http://lnxrealmtest01.lnxrealmtest.liberty.edu:80/ca/ocsp</a> No, you looked at the wrong certificate. To look at it use: # certutil -L -d /etc/dirsrv/slapd-LNXREALMTEST-LIBERTY-EDU -n Server-Cert rob </pre> </blockquote> Ok, that makes sense. The CN in that cert is correct, so I corrected my command. It's still failing on binding a user it looks like. I've attached the complete output. -Kenny </body> </html>