> Petar Kozić via FreeIPA-users wrote:
> > Hi folks,
> > one question.
> > These days I join my machine into IPA. Almost all machine have Ubuntu
> > 18.04. I jointed about 10 machine in last two days. Today I tried to
> > join Debian 8 jessie but I have problem.
> >
> > All machine I join with same command:
> >
> > ipa-client-install -U —domain=example.com <
http://example.com>
<
http://example.com>
> > —hostname=clientexample.com <
http://clientexample.com>
<
http://clientexample.com>
> > —server=ipa.example.com <
http://ipa.example.com>
<
http://ipa.example.com>
> —realm=EXAMPLE.com
> > —password=XXXxxxXXX --principal=admin —mkhomedir
> >
> > On Debian machine I got this error in process of join:
> >
> > Forwarding 'ping' to json server
'https://ipa.example.com/ipa/json'
> > cert validation failed for “CN=ipa.example.com <
http://ipa.example.com>
<
http://ipa.example.com>"
> > ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.)
> > Cannot connect to the server due to generic error: cannot connect to
> > 'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER)
Peer's
> > Certificate issuer is not recognized.
> > Installation failed. Rolling back changes.
> >
> > Some help?
>
> We need more information on your CA chain configuration and what
> version's of IPA you're using.
>
> For example, is your CA a typical IPA self-signed CA or did you sign it
> with another CA?
>
> rob
Ipa version:
FreeIPA 4.7
CA isn’t self-signed. I generate Let’s encrypt SSL and make chain CA
which is imported in IPA.
On all Ubuntu 18.04 works perfect but this Debian 8 jessie don’t support
native from repo freeipa-client and maybe that is also problem. I found
some repo for freeipa client
deb
http://apt.numeezy.fr jessie main
deb-src
http://apt.numeezy.fr jessie main
and I installed from there.
Assuming it picks the latest it means you have 4.6.4.
You might try installing the Let's Encrypt root CA's onto your client
prior to running ipa-client-install.
Otherwise I think we'd need to see /var/log/ipaclient-install.log to see
the CA chain being retrieved. Sounds like it is incomplete but unclear why.
rob