Petar Kozić via FreeIPA-users wrote:
> Hi folks,
> one question.
> These days I join my machine into IPA. Almost all machine have Ubuntu
> 18.04. I jointed about 10 machine in last two days. Today I tried to
> join Debian 8 jessie but I have problem.
>
> All machine I join with same command:
>
> ipa-client-install -U —domain=example.com <http://example.com>
> —hostname=clientexample.com <http://clientexample.com>
> —server=ipa.example.com <http://ipa.example.com> —realm=EXAMPLE.com
> —password=XXXxxxXXX --principal=admin —mkhomedir
>
> On Debian machine I got this error in process of join:
>
> Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json'
> cert validation failed for “CN=ipa.example.com <http://ipa.example.com>"
> ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.)
> Cannot connect to the server due to generic error: cannot connect to
> 'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's
> Certificate issuer is not recognized.
> Installation failed. Rolling back changes.
>
> Some help?
We need more information on your CA chain configuration and what
version's of IPA you're using.
For example, is your CA a typical IPA self-signed CA or did you sign it
with another CA?
rob
Ipa version:
FreeIPA 4.7
CA isn’t self-signed. I generate Let’s encrypt SSL and make chain CA which is imported in IPA.
On all Ubuntu 18.04 works perfect but this Debian 8 jessie don’t support native from repo freeipa-client and maybe that is also problem. I found some repo for freeipa client
deb http://apt.numeezy.fr jessie main
deb-src http://apt.numeezy.fr jessie main
and I installed from there.