Thanks Florence !!
I already have one certificate on client server I removed that and it
worked
On Thu, Apr 16, 2020 at 9:50 PM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
On 4/16/20 2:54 PM, Faraz Younus via FreeIPA-users wrote:
> No its not the role , i'm using command module
>
>
> ipa-client-install -U -w {{ freeipa_temp_kerberos_password }}
> --mkhomedir --hostname {{ freeipa_client_hostname }} --ntp-server {{
> ipaclient_ntp_servers }} --domain {{ ipaclient_domain }} --realm {{
> ipaclient_realm }} --server {{ servername }}"
>
>
Hi,
you can access the client installation logs on the machine if you want
to troubleshoot (/var/log/ipaclient-install.log).
From your output we can see:
Connect error: TLS error -8172:Peer's certificate issuer has been marked
as not trusted by the user
Is there an existing /etc/ipa/ca.crt file on the client? If yes, does it
contain your IdM CA cert?
On CentOS 6, ipa client version is 3.x and IIRC the installer does not
support multiple CAs. On the server, does /etc/ipa/ca.crt contain
multiple certs?
flo
> On Thu, Apr 16, 2020 at 5:45 PM Rafael Jeffman <rjeffman(a)redhat.com
> <mailto:rjeffman@redhat.com>> wrote:
>
> Hello,
>
> Is this using ansible-freeipa roles? If so, you'll need RHEL/CentOS
> 7.4+ for it to work.
>
> Rafael
>
> On Thu, Apr 16, 2020 at 7:41 AM Faraz Younus via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
> Hi Team,
>
> I'm trying to add client with hostname
abc.example.com
> <
http://abc.example.com> on freeip
server(ipa1.idm.example.com
> <
http://ipa1.idm.example.com>) but on centos 7 it works fine.
>
> All ports are allowed and accessible from client side
>
> Can you please share what the exactly problem is and how it can
> be fixed ?
>
>
> TASK [Enroll host to FreeIPA]
>
**************************************************************************************************************************
>
> failed: [
sherwin-centos6-test.example.com
> <
http://sherwin-centos6-test.example.com>]
> (
item=ipa1.idm.example.com <
http://ipa1.idm.example.com>) =>
> {"ansible_loop_var": "item", "changed": false,
"cmd":
> ["ipa-client-install", "-U", "-w",
"8ekh0Y", "--mkhomedir",
> "--hostname", "sherwin-centos6-test.example.com
> <
http://sherwin-centos6-test.example.com>",
"--ntp-server",
> "169.254.169.123", "--domain", "idm.example.com
> <
http://idm.example.com>", "--realm",
"IDM.EXAMPLE.COM
> <
http://IDM.EXAMPLE.COM>", "--server",
"ipa1.idm.example.com
> <
http://ipa1.idm.example.com>"], "delta":
"0:00:00.202857",
> "end": "2020-04-16 10:29:37.411081",
"failed_when_result": true,
> "item": "ipa1.idm.example.com
<
http://ipa1.idm.example.com>",
> "msg": "non-zero return code", "rc": 1,
"start": "2020-04-16
> 10:29:37.208224", "stderr": "LDAP Error: Connect error:
TLS
> error -8172:Peer's certificate issuer has been marked as not
> trusted by the user.\nLDAP Error: Connect error: TLS error
> -8172:Peer's certificate issuer has been marked as not trusted
> by the user.\nFailed to verify that
ipa1.idm.example.com
> <
http://ipa1.idm.example.com> is an IPA Server.\nThis may mean
> that the remote server is not up or is not reachable due to
> network or firewall settings.\nPlease make sure the following
> ports are opened in the firewall settings:\n TCP: 80, 88, 389\n
> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\nAlso
> note that following ports are necessary for ipa-client working
> properly after enrollment:\n TCP: 464\n UDP: 464, 123 (if NTP
> enabled)\nInstallation failed. Rolling back changes.\nIPA client
> is not configured on this system.", "stderr_lines":
["LDAP
> Error: Connect error: TLS error -8172:Peer's certificate issuer
> has been marked as not trusted by the user.", "LDAP Error:
> Connect error: TLS error -8172:Peer's certificate issuer has
> been marked as not trusted by the user.", "Failed to verify that
>
ipa1.idm.example.com <
http://ipa1.idm.example.com> is an IPA
> Server.", "This may mean that the remote server is not up or is
> not reachable due to network or firewall settings.", "Please
> make sure the following ports are opened in the firewall
> settings:", " TCP: 80, 88, 389", " UDP: 88 (at least one
of
> TCP/UDP ports 88 has to be open)", "Also note that following
> ports are necessary for ipa-client working properly after
> enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP
enabled)",
> "Installation failed. Rolling back changes.", "IPA client is
not
> configured on this system."], "stdout":
"\u001b[?1034h",
> "stdout_lines": ["\u001b[?1034h"]}
>
>
>
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
>
>
> --
> Rafael Guterres Jeffman
> Senior Software Engineer
> FreeIPA - Red Hat
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>