Petar Kozić via FreeIPA-users wrote:
Hi folks,
one question.
These days I join my machine into IPA. Almost all machine have Ubuntu
18.04. I jointed about 10 machine in last two days. Today I tried to
join Debian 8 jessie but I have problem.
All machine I join with same command:
ipa-client-install -U —domain=example.com <
http://example.com>
—hostname=clientexample.com <
http://clientexample.com>
—server=ipa.example.com <
http://ipa.example.com> —realm=EXAMPLE.com
—password=XXXxxxXXX --principal=admin —mkhomedir
On Debian machine I got this error in process of join:
Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json'
cert validation failed for “CN=ipa.example.com <
http://ipa.example.com>"
((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.)
Cannot connect to the server due to generic error: cannot connect to
'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's
Certificate issuer is not recognized.
Installation failed. Rolling back changes.
Some help?
We need more information on your CA chain configuration and what
version's of IPA you're using.
For example, is your CA a typical IPA self-signed CA or did you sign it
with another CA?
rob
Ipa version:
FreeIPA 4.7
CA isn’t self-signed. I generate Let’s encrypt SSL and make chain CA which
is imported in IPA.
On all Ubuntu 18.04 works perfect but this Debian 8 jessie don’t support
native from repo freeipa-client and maybe that is also problem. I found
some repo for freeipa client
deb
http://apt.numeezy.fr jessie main
deb-src
http://apt.numeezy.fr jessie main
and I installed from there.