When trying to enroll some IPA clients (RHEL 7.9) I do get the following
error:
Cannot obtain CA certificate
'ldap://pipag01.linux.gleis.at' doesn't have a certificate.
Installation failed. Rolling back changes.
LDAP(S)/HTTP(S) ports are open.
What's going on here? How can I debug further?
From the logs:
2022-11-02T12:30:47Z DEBUG trying to retrieve CA cert via LDAP from
ipa01.linux.mydomain.at
2022-11-02T12:30:47Z DEBUG get_ca_certs_from_ldap() error: option error
2022-11-02T12:30:47Z DEBUG option error
2022-11-02T12:30:47Z ERROR Cannot obtain CA certificate
'ldap://
ipa01.linux.mydomain.at' doesn't have a certificate.
2022-11-02T12:30:47Z ERROR Installation failed. Rolling back changes.
The method get_ca_certs_from_ldap is trying to get the CA certs by performing a ldapsearch on the master similar to this one:
ldapsearch -b cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=test "(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
If it fails, it falls back to the old way of storing the CA:
ldapsearch -b cn=cacert,cn=ipa,cn=etc,$BASEDN
The connection is authenticated using gssapi, using the credentials provided to ipa-client-install (admin in your case).
You can try to correlate the failure with the access logs on the master (pick the timestamp from ipaclient-install.log and look for the search around the same time on the server in /var/log/dirsrv/slapd-xxx/access). Check if the search found any entry, and if not you can directly look in the LDAP tree. The CA certificate should be stored in an entry cn=<DOMAIN> IPA CA,cn=certificates,cn=ipa,cn=etc,$BASEDN.
If you need help understanding the logs, let's take this example:
[06/Nov/2022:15:49:05.008084651 +0000] conn=42 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Nov/2022:15:49:05.011591350 +0000] conn=42 op=0 RESULT err=14 tag=97 nentries=0 etime=0.0003626879, SASL bind in progress
[06/Nov/2022:15:49:05.012375581 +0000] conn=42 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Nov/2022:15:49:05.013416089 +0000] conn=42 op=1 RESULT err=14 tag=97 nentries=0 etime=0.0001068280, SASL bind in progress
[06/Nov/2022:15:49:05.014049230 +0000] conn=42 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Nov/2022:15:49:05.014646574 +0000] conn=42 op=2 RESULT err=0 tag=97 nentries=0 etime=0.0000622033 dn="uid=admin,cn=users,cn=accounts,dc=ipa,dc=test"
[06/Nov/2022:15:49:05.015254256 +0000] conn=42 op=3 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=test" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaPublicKey ipaCertIssuerSerial ipaKeyExtUsage ipaCertSubject cn cacertificate;binary ipaKeyTrust"
[06/Nov/2022:15:49:05.015752516 +0000] conn=42 op=3 RESULT err=0 tag=101 nentries=1 etime=0.0000574052
I started by looking for a search targeting cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=test -> found on line 7. The search is using conn=42 and corresponds to operation op=3. To find the result, look for a line with the same connection number and operation number -> line 8 with conn=42 op=3 RESULT. The result is success (err=0) and found 1 entry (nentries=1).
To find who performed the operation, look for a BIND op with the same connection number happening before the search -> line 5, look for its result (same conn, same op)-> line 6 and find the DN: uid=admin,cn=users,cn=accounts,dc=ipa,dc=test.
HTH,
flo
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue