Hi Folks,
I'm blocked by the issue for several day, I am trying to enroll one machine to IPA server ipa-client-install --mkhomedir --domain=domain1.com --server=ipa.domain.com --realm=DOMAIN.COM --force-ntpd --hostname=ipa.domain1.com the error message is: Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: unable to get local issuer certificate
Then I checked /etc/pki/tls/certs/ca-bundle.crt, the root CA and ipa server crt are existing in ca-bundle.crt, would you please let me know how to fix the issue? thanks in advance!
Best regards, Bryan
from server side, we are using separate apache as proxy, and we put our own CA certificate in apache for enabling ssl and https
After adding certificates and chain of *.domain.com to /etc/ipa/ca.crt in master freeipa, then copy the ca.crt file to client machine, and rename it to ca.pem with mv ca.crt ca.pem this ca.pem includes all required certificates for both ipa server and https server, then run ipa-client-install command like below, it will work for new client machine
ipa-client-install --mkhomedir --domain=domain2.com --server=ipa.domain.com --realm=DOMAIN.COM --force-ntpd --hostname=ipa.domain2.com -d --ca-cert-file=/home/ec2-user/ca.pem
Bryan Fang via FreeIPA-users wrote:
After adding certificates and chain of *.domain.com to /etc/ipa/ca.crt in master freeipa, then copy the ca.crt file to client machine, and rename it to ca.pem with mv ca.crt ca.pem this ca.pem includes all required certificates for both ipa server and https server, then run ipa-client-install command like below, it will work for new client machine
ipa-client-install --mkhomedir --domain=domain2.com --server=ipa.domain.com --realm=DOMAIN.COM --force-ntpd --hostname=ipa.domain2.com -d --ca-cert-file=/home/ec2-user/ca.pem
If you use ipa-cacert-manage to load the external CA certificates onto the IPA server then using a custom ca-cert-file shouldn't be necessary as the entire cert chain will be pulled down as part of the installation.
Note that when you add custom certificates you should run ipa-certupdate on all IPA hosts, clients and servers, to pull in the new chain.
rob
freeipa-users@lists.fedorahosted.org