Petar Kozić via FreeIPA-users wrote: 
> Hi folks, 
> one question. 
> These days I join my machine into IPA. Almost all machine have Ubuntu 
> 18.04. I jointed about 10 machine in last two days. Today I tried to 
> join Debian 8 jessie but I have problem. 
> 
> All machine I join with same command: 
> 
> ipa-client-install -U —domain=example.com <http://example.com> 
> —hostname=clientexample.com <http://clientexample.com> 
> —server=ipa.example.com <http://ipa.example.com> —realm=EXAMPLE.com 
> —password=XXXxxxXXX --principal=admin —mkhomedir 
> 
> On Debian machine I got this error in process of join: 
> 
> Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json' 
> cert validation failed for “CN=ipa.example.com <http://ipa.example.com>" 
> ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) 
> Cannot connect to the server due to generic error: cannot connect to 
> 'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's 
> Certificate issuer is not recognized. 
> Installation failed. Rolling back changes. 
> 
> Some help? 

We need more information on your CA chain configuration and what 
version's of IPA you're using. 

For example, is your CA a typical IPA self-signed CA or did you sign it 
with another CA? 

rob