Petar
2019-05-20T11:13:47Z DEBUG [IPA Discovery]
2019-05-20T11:13:47Z DEBUG Starting IPA discovery with domain=example.com, servers=['myipaserver.example.com'], hostname=myclient.example.net
2019-05-20T11:13:47Z DEBUG Server and domain forced
2019-05-20T11:13:47Z DEBUG [Kerberos realm search]
2019-05-20T11:13:47Z DEBUG Search DNS for TXT record of _kerberos.example.com
2019-05-20T11:13:47Z DEBUG DNS record not found: NXDOMAIN
2019-05-20T11:13:47Z DEBUG [LDAP server check]
2019-05-20T11:13:47Z DEBUG Verifying that myipaserver.example.com (realm None) is an IPA server
2019-05-20T11:13:47Z DEBUG Init LDAP connection to: myipaserver.example.com
2019-05-20T11:13:48Z DEBUG Search LDAP server for IPA base DN
2019-05-20T11:13:49Z DEBUG Check if naming context 'dc=example,dc=com' is for IPA
2019-05-20T11:13:49Z DEBUG Naming context 'dc=example,dc=com' is a valid IPA context
2019-05-20T11:13:49Z DEBUG Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)
2019-05-20T11:13:49Z DEBUG Found: cn=example.com,cn=kerberos,dc=example,dc=com
2019-05-20T11:13:49Z DEBUG Discovery result: Success; server=myipaserver.example.com, domain=example.com, kdc=None, basedn=dc=example,dc=com
2019-05-20T11:13:49Z DEBUG Validated servers: myipaserver.example.com
2019-05-20T11:13:49Z DEBUG will use discovered domain: example.com
2019-05-20T11:13:49Z DEBUG Using servers from command line, disabling DNS discovery
2019-05-20T11:13:49Z DEBUG will use provided server: myipaserver.example.com
2019-05-20T11:13:49Z DEBUG will use discovered realm: example.com
2019-05-20T11:13:49Z DEBUG will use discovered basedn: dc=example,dc=com
2019-05-20T11:13:49Z INFO Hostname: myclient.example.net
2019-05-20T11:13:49Z DEBUG Hostname source: Provided as option
2019-05-20T11:13:49Z INFO Realm: example.com
2019-05-20T11:13:49Z DEBUG Realm source: Discovered from LDAP DNS records in myipaserver.example.com
2019-05-20T11:13:49Z INFO DNS Domain: example.com
2019-05-20T11:13:49Z DEBUG DNS Domain source: Forced
2019-05-20T11:13:49Z INFO IPA Server: myipaserver.example.com
2019-05-20T11:13:49Z DEBUG IPA Server source: Provided as option
2019-05-20T11:13:49Z INFO BaseDN: dc=example,dc=com
2019-05-20T11:13:49Z DEBUG BaseDN source: From IPA server ldap://myipaserver.example.com:389
2019-05-20T11:13:49Z DEBUG Starting external process
2019-05-20T11:13:49Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r example.com
2019-05-20T11:13:49Z DEBUG Process finished, return code=5
2019-05-20T11:13:49Z DEBUG stdout=
2019-05-20T11:13:49Z DEBUG stderr=realm not found
2019-05-20T11:13:49Z DEBUG Starting external process
2019-05-20T11:13:49Z DEBUG args=/bin/hostname myclient.example.net
2019-05-20T11:13:49Z DEBUG Process finished, return code=0
2019-05-20T11:13:49Z DEBUG stdout=
2019-05-20T11:13:49Z DEBUG stderr=
2019-05-20T11:13:49Z DEBUG Backing up system configuration file '/etc/hostname'
2019-05-20T11:13:49Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-05-20T11:13:49Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2019-05-20T11:13:49Z INFO Synchronizing time with KDC...
2019-05-20T11:13:49Z DEBUG Search DNS for SRV record of _ntp._udp.example.com
2019-05-20T11:13:50Z DEBUG DNS record not found: NXDOMAIN
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v myipaserver.example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=1
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v myipaserver.example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=1
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v myipaserver.example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=1
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=keyctl get_persistent @s 0
2019-05-20T11:13:50Z DEBUG Process finished, return code=2
2019-05-20T11:13:50Z DEBUG stdout=
2019-05-20T11:13:50Z DEBUG stderr=Unknown command
2019-05-20T11:13:50Z DEBUG Writing Kerberos configuration to /tmp/tmpJH6hjP:
2019-05-20T11:13:50Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = example.com
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
example.com = {
kdc = myipaserver.example.com:88
master_kdc = myipaserver.example.com:88
admin_server = myipaserver.example.com:749
default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.clientexample.com = example.com
clientexample.com = example.com
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=kinit admin@example.com
2019-05-20T11:13:50Z DEBUG Process finished, return code=0
2019-05-20T11:13:50Z DEBUG stdout=Password for admin@example.com:
2019-05-20T11:13:50Z DEBUG stderr=
2019-05-20T11:13:50Z DEBUG trying to retrieve CA cert from file /tmp/ca.crt
2019-05-20T11:13:50Z DEBUG CA cert provided by user, use it!
2019-05-20T11:13:50Z DEBUG Starting external process
2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ipa-join -s myipaserver.example.com -b dc=example,dc=com -h myclient.example.net -f
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=
2019-05-20T11:13:54Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=example.com
2019-05-20T11:13:54Z INFO Enrolled in IPA realm example.com
2019-05-20T11:13:54Z DEBUG Starting external process
2019-05-20T11:13:54Z DEBUG args=kdestroy
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=
2019-05-20T11:13:54Z DEBUG stderr=
2019-05-20T11:13:54Z DEBUG Starting external process
2019-05-20T11:13:54Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/myclient.example.net@example.com
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=
2019-05-20T11:13:54Z DEBUG stderr=
2019-05-20T11:13:54Z DEBUG Backing up system configuration file '/etc/ipa/default.conf'
2019-05-20T11:13:54Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist
2019-05-20T11:13:54Z INFO Created /etc/ipa/default.conf
2019-05-20T11:13:54Z DEBUG importing all plugin modules in '/usr/lib/python2.7/dist-packages/ipalib/plugins'...
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/aci.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/automember.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/automount.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/baseldap.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/batch.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/config.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/delegation.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/dns.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/group.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacrule.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvc.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvcgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbactest.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/host.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hostgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/idrange.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/internal.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/kerberos.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/krbtpolicy.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/migration.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/misc.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/netgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/passwd.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/permission.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/ping.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/pkinit.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/privilege.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/pwpolicy.py'
2019-05-20T11:13:54Z DEBUG Starting external process
2019-05-20T11:13:54Z DEBUG args=klist -V
2019-05-20T11:13:54Z DEBUG Process finished, return code=0
2019-05-20T11:13:54Z DEBUG stdout=Kerberos 5 version 1.12
2019-05-20T11:13:54Z DEBUG stderr=
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/realmdomains.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/role.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/selfservice.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/selinuxusermap.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/service.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmd.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmdgroup.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudorule.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/trust.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/user.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/virtual.py'
2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/xmlclient.py'
2019-05-20T11:13:55Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'
2019-05-20T11:13:55Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist
2019-05-20T11:13:55Z INFO New SSSD config will be created
2019-05-20T11:13:55Z INFO Configured /etc/sssd/sssd.conf
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=/usr/bin/certutil -A -d sql:/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2019-05-20T11:13:55Z DEBUG Process finished, return code=0
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=
2019-05-20T11:13:55Z DEBUG Backing up system configuration file '/etc/krb5.conf'
2019-05-20T11:13:55Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=keyctl get_persistent @s 0
2019-05-20T11:13:55Z DEBUG Process finished, return code=2
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=Unknown command
2019-05-20T11:13:55Z DEBUG Writing Kerberos configuration to /etc/krb5.conf:
2019-05-20T11:13:55Z DEBUG #File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = example.com
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
example.com = {
kdc = myipaserver.example.com:88
master_kdc = myipaserver.example.com:88
admin_server = myipaserver.example.com:749
default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.clientexample.com = example.com
clientexample.com = example.com
2019-05-20T11:13:55Z INFO Configured /etc/krb5.conf for IPA realm example.com
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=keyctl search @s user ipa_session_cookie:host/myclient.example.net@example.com
2019-05-20T11:13:55Z DEBUG Process finished, return code=1
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=keyctl_search: Required key not available
2019-05-20T11:13:55Z DEBUG Starting external process
2019-05-20T11:13:55Z DEBUG args=keyctl search @s user ipa_session_cookie:host/myclient.example.net@example.com
2019-05-20T11:13:55Z DEBUG Process finished, return code=1
2019-05-20T11:13:55Z DEBUG stdout=
2019-05-20T11:13:55Z DEBUG stderr=keyctl_search: Required key not available
2019-05-20T11:13:55Z DEBUG failed to find session_cookie in persistent storage for principal 'host/myclient.example.net@example.com'
2019-05-20T11:13:56Z DEBUG trying https://myipaserver.example.com/ipa/xml
2019-05-20T11:13:56Z DEBUG Created connection context.xmlclient
2019-05-20T11:13:56Z DEBUG Try RPC connection
2019-05-20T11:13:56Z DEBUG Forwarding 'ping' to server 'https://myipaserver.example.com/ipa/xml'
2019-05-20T11:13:56Z DEBUG NSSConnection init myipaserver.example.com
2019-05-20T11:13:56Z DEBUG Connecting: 94.130.154.230:0
2019-05-20T11:13:56Z DEBUG auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 337206521890680437858189420391339302183775 (0x3def5fdcb91c7146fc7d3cb8c096bd5e35f)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Validity:
Not Before: Fri Apr 05 07:19:18 2019 UTC
Not After : Thu Jul 04 07:19:18 2019 UTC
Subject: CN=myipaserver.example.com
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
b4:68:c6:c8:b4:4f:df:50:5a:f0:00:4b:ea:09:9d:77:
1c:20:20:b6:ce:d7:64:24:c8:ec:65:ad:69:de:a1:ea:
b4:a1:d6:4e:46:88:d5:e5:ea:e6:9c:70:d8:8a:00:7e:
cd:c0:0f:2e:e7:e5:1f:3e:72:00:81:ab:b8:58:90:89:
f6:81:ee:6a:87:f4:85:34:32:46:5f:0e:45:5c:05:69
Exponent: 65537 (0x10001)
Signed Extensions: (9)
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Key Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: Certificate Basic Constraints
Critical: True
Is CA: False
Path Length: 0
Name: Certificate Subject Key ID
Critical: False
Data:
cb:c7:a1:bc:07:0a:ba:f9:d6:55:85:ea:e4:13:3a:e6:
6d:1c:64:93
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef:
f3:a8:ec:a1
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Name: Certificate Subject Alt Name
Critical: False
Names:
Name: Certificate Policies
Critical: False
Name: OID.1.3.6.1.4.1.11129.2.4.2
Critical: False
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
1b:9b:b3:c8:cb:c6:2b:1c:e9:f5:4b:6b:f2:2f:81:56:
55:00:33:bc:02:ba:e9:c4:58:76:b5:1b:05:ed:bc:d7:
94:4d:45:42:78:82:b1:77:5c:d6:c5:a3:92:e1:b6:5a:
d7:b1:b0:25:6b:c9:5c:bb:37:a8:f5:56:c4:1e:b2:cb:
a7:18:78:fc:a4:5c:a1:38:c0:39:bc:3c:7b:22:34:30:
32:02:07:12:15:16:38:c6:8d:c2:4c:e0:7d:b8:66:74:
84:44:23:eb:3f:8d:11:5e:92:77:cc:e0:ee:c4:59:12
Fingerprint (MD5):
a4:df:06:9a:a3:e1:61:93:40:cc:8e:ea:6d:2
Fingerprint (SHA1):
23:88:55:80:b7:6f:0f:d0:86:c0:4f:c3:c8:92:67:c3:
2019-05-20T11:13:56Z ERROR cert validation failed for "CN=myipaserver.example.com" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.)
2019-05-20T11:13:56Z ERROR Cannot connect to the server due to generic error: cannot connect to 'https://myipaserver.example.com/ipa/xml': [Errno -8179] (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.
2019-05-20T11:13:56Z ERROR Installation failed. Rolling back changes.
2019-05-20T11:13:56Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2019-05-20T11:13:56Z DEBUG Starting external process
2019-05-20T11:13:56Z DEBUG args=ipa-client-automount --uninstall --debug
2019-05-20T11:13:58Z DEBUG Process finished, return code=0
2019-05-20T11:13:58Z DEBUG stdout=Restoring configuration
On May 17, 2019 at 4:40:47 PM, Rob Crittenden (rcritten@redhat.com) wrote:
Petar Kozić via FreeIPA-users wrote:
>
>> Petar Kozić via FreeIPA-users wrote:
>> > Hi folks,
>> > one question.
>> > These days I join my machine into IPA. Almost all machine have Ubuntu
>> > 18.04. I jointed about 10 machine in last two days. Today I tried to
>> > join Debian 8 jessie but I have problem.
>> >
>> > All machine I join with same command:
>> >
>> > ipa-client-install -U —domain=example.com <http://example.com> <http://example.com>
>> > —hostname=clientexample.com <http://clientexample.com> <http://clientexample.com>
>> > —server=ipa.example.com <http://ipa.example.com> <http://ipa.example.com>
>> —realm=EXAMPLE.com
>> > —password=XXXxxxXXX --principal=admin —mkhomedir
>> >
>> > On Debian machine I got this error in process of join:
>> >
>> > Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json'
>> > cert validation failed for “CN=ipa.example.com <http://ipa.example.com> <http://ipa.example.com>"
>> > ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.)
>> > Cannot connect to the server due to generic error: cannot connect to
>> > 'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's
>> > Certificate issuer is not recognized.
>> > Installation failed. Rolling back changes.
>> >
>> > Some help?
>>
>> We need more information on your CA chain configuration and what
>> version's of IPA you're using.
>>
>> For example, is your CA a typical IPA self-signed CA or did you sign it
>> with another CA?
>>
>> rob
>
>
> Ipa version:
>
> FreeIPA 4.7
>
> CA isn’t self-signed. I generate Let’s encrypt SSL and make chain CA
> which is imported in IPA.
>
> On all Ubuntu 18.04 works perfect but this Debian 8 jessie don’t support
> native from repo freeipa-client and maybe that is also problem. I found
> some repo for freeipa client
>
> deb http://apt.numeezy.fr jessie main
>
> deb-src http://apt.numeezy.fr jessie main
>
> and I installed from there.
Assuming it picks the latest it means you have 4.6.4.
You might try installing the Let's Encrypt root CA's onto your client
prior to running ipa-client-install.
Otherwise I think we'd need to see /var/log/ipaclient-install.log to see
the CA chain being retrieved. Sounds like it is incomplete but unclear why.
rob