Trying to stand up a brand new IPA Server install on a brand new VM.
I am lightly obfuscating some strings out of respect for the client so
their domain-name will say 'DOMAIN' in my email.
==========
~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=19.10
DISTRIB_CODENAME=eoan
DISTRIB_DESCRIPTION="Ubuntu 19.10"
==========
~# ipa --version
VERSION: 4.8.1, API_VERSION: 2.233
==========
Having built a number of IPA Servers for various entities in the past,
I've already got the requisite setup/prep stuff configured.
- DNS Resolution in functioning forward/reverse
- /etc/hosts is set correctly to point to the public IPv4 and IPv6
interface IPs.
- hostname is set to fqdn.
- time is current and sync'd before any IPA commands are run
Issuing the following command to kick off the ipa-server-install process:
==========
ipa-server-install --allow-zone-overlap -v -d --setup-dns --mkhomedir
--auto-reverse -p XXXXX -a YYYYY --forwarder=2604:ZZZ::AAA -n
ipa.DOMAIN.com -r
IPA.DOMAIN.COM --hostname=`hostname`
--ntp-pool=pool.ntp.org
==========
The server install process proceeds and succeeds up to the point:
==========
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Starting external process
=====
Which is kicking off:
=====
2020-04-15T20:15:46Z DEBUG args=['/usr/sbin/ipa-client-install',
'--on-master', '--unattended', '--domain',
'ipa.DOMAIN.com', '--server',
'sfca-do-ipa-1.ipa.DOMAIN.com', '--realm', 'IPA.DOMAIN.COM',
'--hostname', 'sfca-do-ipa-1.ipa.DOMAIN.com', '--no-ntp',
'--mkhomedir']
=====
The client setup portion fails every single time with the following error:
=====
2020-04-15T20:15:48Z ERROR cannot connect to
'https://sfca-do-ipa-1.ipa.DOMAIN.com/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get
local issuer certificate (_ssl.c:1076)
=====
I've done some searching to see how other people have dealt with python
throwing the CERTIFICATE_VERIFY_FAILED error, but nothing seems to make
any difference in telling the ipa-client-install to respect the locally
issued IPA Certs that are read during the setup process. Since some
threads mention it helping, I've ensured the python-certifi package is
installed and up to date. I've tried toggling between the version of
python being used [the system default of python2.7 or python3.7]. Even
though it should not make any difference, since the client is reading an
IPA generated cert and complaining, but I've also rebuilt the
/etc/ssl/certs store since some threads have mentioned this error having
some relations [update-ca-certificates -f -v].
Any thoughts on how to get past the ipa-client-install section failing
on this? This server setup is -so- close to being complete.
Cheers,
-Chris