<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Crap. Thought I caught this before I sent it. <br>
<br>
# rm -f /etc/ipa/ca.crt<br>
<br>
<br>
<div class="moz-cite-prefix">On 04/29/2014 01:22 PM, Bret Wortman
wrote:<br>
</div>
<blockquote cite="mid:535FDFD1.9060208@damascusgrp.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
I'd like to test migrating our clients from the old IPA
infrastructure to our newer F20-based servers but am having
trouble with our first clients. Unenrolling them from the old IPA
servers went fine, but when I try to enroll them with the newer
ones, the logs report:<br>
<tt><br>
</tt><tt># ipa-client-install -U --server zsipa.foo.net --domain
foo.net --password obscured --mkhomdir --enable-dns-updates</tt><tt><br>
</tt><tt>LDAP Error: Connect error: TLS error -8172:Peer's
certificate issuer has been marked as not trusted by the user.</tt><tt><br>
</tt>
<div class="moz-signature"><tt>LDAP Error: Connect error: TLS
error -8172:Peer's certificate issuer has been marked as not
trusted by the user.</tt><tt><br>
</tt><tt> Failed to verify that zsipa.foo.net is an IPA Server.</tt><tt><br>
</tt><tt>This may mean that the remote server is not up or is
not reachable due to network or firewall settings.</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>Installation failed. Rolling back changes.</tt><tt><br>
</tt><tt>IPA client is not configured on this system.</tt><tt><br>
</tt><tt># ps aux | grep firewalld</tt><tt> | grep -v grep</tt><tt><br>
</tt><tt># getenforce</tt><tt><br>
</tt><tt>Disabled</tt><tt><br>
</tt><tt># cat /var/log/ipaclient-install.log</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>:</tt><tt><br>
</tt><tt>DEBUG [LDAP server check]</tt><tt><br>
</tt><tt>DEBUG Verifying that zsipa.foo.net (realm foo.net) is
an IPA server</tt><tt><br>
</tt><tt>DEBUG Init LDAP connection with: <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="ldap://zsipa.foo.net:389">ldap://zsipa.foo.net:389</a></tt><tt><br>
</tt><tt>ERROR LDAP Error: Connect error: TLS error -8173:Peer's
certificate issuer has been marked as not trusted by the user.</tt><tt><br>
</tt><tt>DEBUG Discovery result: UNKNOWN_ERROR; server=None,
domain=foo.net, kdc=zsipa.foo.net, basedn=None</tt><tt><br>
</tt><tt>DEBUG Validated servers:</tt><tt><br>
</tt><tt>DEBUG will use discovered domain: foo.net</tt><tt><br>
</tt><tt>DEBUG IPA Server not found</tt><tt><br>
</tt><tt>DEBUG [IPA Discovery] Starting IPA discovery with
domain=foo.net, servers=['zsipa.foo.net'],
hostname=jsutil.foo.net</tt><tt><br>
</tt><tt>DEBUG Server and domain forced</tt><tt><br>
</tt><tt>DEBUG [Kerberos realm search]</tt><tt><br>
</tt><tt>DEBUG Search DNS for TXT record of _kerberos.foo.net</tt><tt><br>
</tt><tt>DEBUG DNS record found:
DNSResult::name:_kerberos.foo.net.,type:16,class:1,rdata={data:FOO.NET}</tt><tt><br>
</tt><tt>DEBUG Search DNS for SRV record of
_kerberos._udp.foo.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:zsipa.foo.net.}</tt><tt><br>
</tt><tt>DEBUG [LDAP server check]</tt><tt><br>
</tt><tt>DEBUG Verifying that zsipa.foo.net (realm FOO.NET)</tt><tt>
is an IPA server</tt><tt><br>
</tt><tt>DEBUG Init LDAP connection with: <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="ldap://zsipa.foo.net:389">ldap://zsipa.foo.net:389</a></tt><tt><br>
</tt><tt>ERROR LDAP Error: Connect error: TLS error -8172:Peer's
certificate issuer has been marked as not trusted by the user.</tt><tt><br>
</tt><tt>DEBUG Discovery result: UNKNOWN_ERROR; server=None,
domain=foo.net, kdc=zsipa.foo.net, basedn=None</tt><tt><br>
</tt><tt>DEBUG Validated servers:</tt><tt><br>
</tt><tt>ERROR Failed to verify that zsipa.foo.net is an IPA
Server.</tt><tt><br>
</tt><tt>ERROR This may mean that the remote server is not up or
is not reachable due to network or firewall settings.</tt><tt><br>
</tt><tt>INFO Please make sure the following ports are opened in
the firewall settings:</tt><tt><br>
</tt><tt> TCP: 80, 88, 389</tt><tt><br>
</tt><tt> UDP: 88 (at least one of TCP/UDP ports 88 has to be
open)</tt><tt><br>
</tt><tt>Also note that following ports are necessary for
ipa-client working properly after enrollment:</tt><tt><br>
</tt><tt> TCP: 464</tt><tt><br>
</tt><tt> UDP: 464, 123 (if NTP enabled)</tt><tt><br>
</tt><tt>DEBUG (zspia.foo.net: Provided as option)</tt><tt><br>
</tt><tt>ERROR Installation failed. Rolling back changes.</tt><tt><br>
</tt><tt>ERROR IPA client is not configured on this system.</tt><br>
<br>
I removed the timestamps for readability.<br>
<br>
It seems to me that something from the old version is hanging
around and getting in the way, or that something in the setup of
the new server isn't quite complete -- which seems more likely,
and where should I be looking for the actual cause? Is this a
problem with a certificate or with the server not being
discoverable?<br>
<br>
<br>
-- <br>
<div><b>Bret Wortman</b></div>
<div><img src="cid:part3.06030802.03080804@damascusgrp.com"
height="53/" width="200"><br>
</div>
<div><a moz-do-not-send="true" href="http://damascusgrp.com/">http://damascusgrp.com/</a><br>
</div>
<div><a moz-do-not-send="true"
href="http://about.me/wortmanbret">http://about.me/wortmanbret</a><br>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>