5:39 a.m.
Hi Team,
I'm trying to add client with hostname abc.example.com on freeip server(
ipa1.idm.example.com) but on centos 7 it works fine.
All ports are allowed and accessible from client side
Can you please share what the exactly problem is and how it can be fixed ?
TASK [Enroll host to FreeIPA]
**************************************************************************************************************************
failed: [sherwin-centos6-test.example.com] (item=ipa1.idm.example.com) =>
{"ansible_loop_var": "item", "changed": false,
"cmd":
["ipa-client-install", "-U", "-w", "8ekh0Y",
"--mkhomedir", "--hostname", "
sherwin-centos6-test.example.com", "--ntp-server",
"169.254.169.123",
"--domain", "idm.example.com", "--realm",
"IDM.EXAMPLE.COM", "--server", "
ipa1.idm.example.com"], "delta": "0:00:00.202857",
"end": "2020-04-16
10:29:37.411081", "failed_when_result": true, "item":
"ipa1.idm.example.com",
"msg": "non-zero return code", "rc": 1, "start":
"2020-04-16
10:29:37.208224", "stderr": "LDAP Error: Connect error: TLS error
-8172:Peer's certificate issuer has been marked as not trusted by the
user.\nLDAP Error: Connect error: TLS error -8172:Peer's certificate issuer
has been marked as not trusted by the user.\nFailed to verify that
ipa1.idm.example.com is an IPA Server.\nThis may mean that the remote
server is not up or is not reachable due to network or firewall
settings.\nPlease make sure the following ports are opened in the firewall
settings:\n TCP: 80, 88, 389\n UDP: 88 (at least one of TCP/UDP
ports 88 has to be open)\nAlso note that following ports are necessary for
ipa-client working properly after enrollment:\n TCP: 464\n UDP:
464, 123 (if NTP enabled)\nInstallation failed. Rolling back changes.\nIPA
client is not configured on this system.", "stderr_lines": ["LDAP
Error:
Connect error: TLS error -8172:Peer's certificate issuer has been marked as
not trusted by the user.", "LDAP Error: Connect error: TLS error
-8172:Peer's certificate issuer has been marked as not trusted by the
user.", "Failed to verify that ipa1.idm.example.com is an IPA Server.",
"This may mean that the remote server is not up or is not reachable due to
network or firewall settings.", "Please make sure the following ports are
opened in the firewall settings:", " TCP: 80, 88, 389", " UDP:
88
(at least one of TCP/UDP ports 88 has to be open)", "Also note that
following ports are necessary for ipa-client working properly after
enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP
enabled)",
"Installation failed. Rolling back changes.", "IPA client is not
configured
on this system."], "stdout": "\u001b[?1034h",
"stdout_lines":
["\u001b[?1034h"]}
7:44 a.m.
Hello,
Is this using ansible-freeipa roles? If so, you'll need RHEL/CentOS 7.4+
for it to work.
Rafael
On Thu, Apr 16, 2020 at 7:41 AM Faraz Younus via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi Team,
I'm trying to add client with hostname abc.example.com on freeip server(
ipa1.idm.example.com) but on centos 7 it works fine.
All ports are allowed and accessible from client side
Can you please share what the exactly problem is and how it can be fixed ?
TASK [Enroll host to FreeIPA]
**************************************************************************************************************************
failed: [sherwin-centos6-test.example.com] (item=ipa1.idm.example.com) =>
{"ansible_loop_var": "item", "changed": false,
"cmd":
["ipa-client-install", "-U", "-w", "8ekh0Y",
"--mkhomedir", "--hostname", "
sherwin-centos6-test.example.com", "--ntp-server",
"169.254.169.123",
"--domain", "idm.example.com", "--realm",
"IDM.EXAMPLE.COM", "--server", "
ipa1.idm.example.com"], "delta": "0:00:00.202857",
"end": "2020-04-16
10:29:37.411081", "failed_when_result": true, "item": "
ipa1.idm.example.com", "msg": "non-zero return code",
"rc": 1, "start":
"2020-04-16 10:29:37.208224", "stderr": "LDAP Error: Connect
error: TLS
error -8172:Peer's certificate issuer has been marked as not trusted by the
user.\nLDAP Error: Connect error: TLS error -8172:Peer's certificate issuer
has been marked as not trusted by the user.\nFailed to verify that
ipa1.idm.example.com is an IPA Server.\nThis may mean that the remote
server is not up or is not reachable due to network or firewall
settings.\nPlease make sure the following ports are opened in the firewall
settings:\n TCP: 80, 88, 389\n UDP: 88 (at least one of TCP/UDP
ports 88 has to be open)\nAlso note that following ports are necessary for
ipa-client working properly after enrollment:\n TCP: 464\n UDP:
464, 123 (if NTP enabled)\nInstallation failed. Rolling back changes.\nIPA
client is not configured on this system.", "stderr_lines": ["LDAP
Error:
Connect error: TLS error -8172:Peer's certificate issuer has been marked as
not trusted by the user.", "LDAP Error: Connect error: TLS error
-8172:Peer's certificate issuer has been marked as not trusted by the
user.", "Failed to verify that ipa1.idm.example.com is an IPA Server.",
"This may mean that the remote server is not up or is not reachable due to
network or firewall settings.", "Please make sure the following ports are
opened in the firewall settings:", " TCP: 80, 88, 389", "
UDP: 88
(at least one of TCP/UDP ports 88 has to be open)", "Also note that
following ports are necessary for ipa-client working properly after
enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP
enabled)",
"Installation failed. Rolling back changes.", "IPA client is not
configured
on this system."], "stdout": "\u001b[?1034h",
"stdout_lines":
["\u001b[?1034h"]}
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
7:54 a.m.
No its not the role , i'm using command module
ipa-client-install -U -w {{ freeipa_temp_kerberos_password }} --mkhomedir
--hostname {{ freeipa_client_hostname }} --ntp-server {{
ipaclient_ntp_servers }} --domain {{ ipaclient_domain }} --realm {{
ipaclient_realm }} --server {{ servername }}"
On Thu, Apr 16, 2020 at 5:45 PM Rafael Jeffman <rjeffman(a)redhat.com> wrote:
Hello,
Is this using ansible-freeipa roles? If so, you'll need RHEL/CentOS 7.4+
for it to work.
Rafael
On Thu, Apr 16, 2020 at 7:41 AM Faraz Younus via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> Hi Team,
>
> I'm trying to add client with hostname abc.example.com on freeip server(
> ipa1.idm.example.com) but on centos 7 it works fine.
>
> All ports are allowed and accessible from client side
>
> Can you please share what the exactly problem is and how it can be fixed ?
>
>
> TASK [Enroll host to FreeIPA]
>
**************************************************************************************************************************
>
> failed: [sherwin-centos6-test.example.com] (item=ipa1.idm.example.com)
> => {"ansible_loop_var": "item", "changed": false,
"cmd":
> ["ipa-client-install", "-U", "-w", "8ekh0Y",
"--mkhomedir", "--hostname", "
> sherwin-centos6-test.example.com", "--ntp-server",
"169.254.169.123",
> "--domain", "idm.example.com", "--realm",
"IDM.EXAMPLE.COM", "--server",
> "ipa1.idm.example.com"], "delta": "0:00:00.202857",
"end": "2020-04-16
> 10:29:37.411081", "failed_when_result": true, "item":
"
> ipa1.idm.example.com", "msg": "non-zero return code",
"rc": 1, "start":
> "2020-04-16 10:29:37.208224", "stderr": "LDAP Error: Connect
error: TLS
> error -8172:Peer's certificate issuer has been marked as not trusted by the
> user.\nLDAP Error: Connect error: TLS error -8172:Peer's certificate issuer
> has been marked as not trusted by the user.\nFailed to verify that
> ipa1.idm.example.com is an IPA Server.\nThis may mean that the remote
> server is not up or is not reachable due to network or firewall
> settings.\nPlease make sure the following ports are opened in the firewall
> settings:\n TCP: 80, 88, 389\n UDP: 88 (at least one of TCP/UDP
> ports 88 has to be open)\nAlso note that following ports are necessary for
> ipa-client working properly after enrollment:\n TCP: 464\n UDP:
> 464, 123 (if NTP enabled)\nInstallation failed. Rolling back changes.\nIPA
> client is not configured on this system.", "stderr_lines": ["LDAP
Error:
> Connect error: TLS error -8172:Peer's certificate issuer has been marked as
> not trusted by the user.", "LDAP Error: Connect error: TLS error
> -8172:Peer's certificate issuer has been marked as not trusted by the
> user.", "Failed to verify that ipa1.idm.example.com is an IPA
Server.",
> "This may mean that the remote server is not up or is not reachable due to
> network or firewall settings.", "Please make sure the following ports are
> opened in the firewall settings:", " TCP: 80, 88, 389", "
UDP:
> 88 (at least one of TCP/UDP ports 88 has to be open)", "Also note that
> following ports are necessary for ipa-client working properly after
> enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP
enabled)",
> "Installation failed. Rolling back changes.", "IPA client is not
configured
> on this system."], "stdout": "\u001b[?1034h",
"stdout_lines":
> ["\u001b[?1034h"]}
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
11:50 a.m.
On 4/16/20 2:54 PM, Faraz Younus via FreeIPA-users wrote:
No its not the role , i'm using command module
ipa-client-install -U -w {{ freeipa_temp_kerberos_password }}
--mkhomedir --hostname {{ freeipa_client_hostname }} --ntp-server {{
ipaclient_ntp_servers }} --domain {{ ipaclient_domain }} --realm {{
ipaclient_realm }} --server {{ servername }}"
Hi,
you can access the client installation logs on the machine if you want
to troubleshoot (/var/log/ipaclient-install.log).
From your output we can see:
Connect error: TLS error -8172:Peer's certificate issuer has been marked
as not trusted by the user
Is there an existing /etc/ipa/ca.crt file on the client? If yes, does it
contain your IdM CA cert?
On CentOS 6, ipa client version is 3.x and IIRC the installer does not
support multiple CAs. On the server, does /etc/ipa/ca.crt contain
multiple certs?
flo
On Thu, Apr 16, 2020 at 5:45 PM Rafael Jeffman
<rjeffman(a)redhat.com
<mailto:rjeffman@redhat.com>> wrote:
Hello,
Is this using ansible-freeipa roles? If so, you'll need RHEL/CentOS
7.4+ for it to work.
Rafael
On Thu, Apr 16, 2020 at 7:41 AM Faraz Younus via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Hi Team,
I'm trying to add client with hostname abc.example.com
<http://abc.example.com> on freeip server(ipa1.idm.example.com
<http://ipa1.idm.example.com>) but on centos 7 it works fine.
All ports are allowed and accessible from client side
Can you please share what the exactly problem is and how it can
be fixed ?
TASK [Enroll host to FreeIPA]
**************************************************************************************************************************
failed: [sherwin-centos6-test.example.com
<http://sherwin-centos6-test.example.com>]
(item=ipa1.idm.example.com <http://ipa1.idm.example.com>) =>
{"ansible_loop_var": "item", "changed": false,
"cmd":
["ipa-client-install", "-U", "-w",
"8ekh0Y", "--mkhomedir",
"--hostname", "sherwin-centos6-test.example.com
<http://sherwin-centos6-test.example.com>";, "--ntp-server",
"169.254.169.123", "--domain", "idm.example.com
<http://idm.example.com>";, "--realm", "IDM.EXAMPLE.COM
<http://IDM.EXAMPLE.COM>";, "--server",
"ipa1.idm.example.com
<http://ipa1.idm.example.com>"], "delta":
"0:00:00.202857",
"end": "2020-04-16 10:29:37.411081",
"failed_when_result": true,
"item": "ipa1.idm.example.com
<http://ipa1.idm.example.com>";,
"msg": "non-zero return code", "rc": 1,
"start": "2020-04-16
10:29:37.208224", "stderr": "LDAP Error: Connect error: TLS
error -8172:Peer's certificate issuer has been marked as not
trusted by the user.\nLDAP Error: Connect error: TLS error
-8172:Peer's certificate issuer has been marked as not trusted
by the user.\nFailed to verify that ipa1.idm.example.com
<http://ipa1.idm.example.com> is an IPA Server.\nThis may mean
that the remote server is not up or is not reachable due to
network or firewall settings.\nPlease make sure the following
ports are opened in the firewall settings:\n TCP: 80, 88, 389\n
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\nAlso
note that following ports are necessary for ipa-client working
properly after enrollment:\n TCP: 464\n UDP: 464, 123 (if NTP
enabled)\nInstallation failed. Rolling back changes.\nIPA client
is not configured on this system.", "stderr_lines": ["LDAP
Error: Connect error: TLS error -8172:Peer's certificate issuer
has been marked as not trusted by the user.", "LDAP Error:
Connect error: TLS error -8172:Peer's certificate issuer has
been marked as not trusted by the user.", "Failed to verify that
ipa1.idm.example.com <http://ipa1.idm.example.com> is an IPA
Server.", "This may mean that the remote server is not up or is
not reachable due to network or firewall settings.", "Please
make sure the following ports are opened in the firewall
settings:", " TCP: 80, 88, 389", " UDP: 88 (at least one of
TCP/UDP ports 88 has to be open)", "Also note that following
ports are necessary for ipa-client working properly after
enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP
enabled)",
"Installation failed. Rolling back changes.", "IPA client is not
configured on this system."], "stdout":
"\u001b[?1034h",
"stdout_lines": ["\u001b[?1034h"]}
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
12:32 a.m.
Thanks Florence !!
I already have one certificate on client server I removed that and it
worked
On Thu, Apr 16, 2020 at 9:50 PM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
On 4/16/20 2:54 PM, Faraz Younus via FreeIPA-users wrote:
> No its not the role , i'm using command module
>
>
> ipa-client-install -U -w {{ freeipa_temp_kerberos_password }}
> --mkhomedir --hostname {{ freeipa_client_hostname }} --ntp-server {{
> ipaclient_ntp_servers }} --domain {{ ipaclient_domain }} --realm {{
> ipaclient_realm }} --server {{ servername }}"
>
>
Hi,
you can access the client installation logs on the machine if you want
to troubleshoot (/var/log/ipaclient-install.log).
From your output we can see:
Connect error: TLS error -8172:Peer's certificate issuer has been marked
as not trusted by the user
Is there an existing /etc/ipa/ca.crt file on the client? If yes, does it
contain your IdM CA cert?
On CentOS 6, ipa client version is 3.x and IIRC the installer does not
support multiple CAs. On the server, does /etc/ipa/ca.crt contain
multiple certs?
flo
> On Thu, Apr 16, 2020 at 5:45 PM Rafael Jeffman <rjeffman(a)redhat.com
> <mailto:rjeffman@redhat.com>> wrote:
>
> Hello,
>
> Is this using ansible-freeipa roles? If so, you'll need RHEL/CentOS
> 7.4+ for it to work.
>
> Rafael
>
> On Thu, Apr 16, 2020 at 7:41 AM Faraz Younus via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
> Hi Team,
>
> I'm trying to add client with hostname abc.example.com
> <http://abc.example.com> on freeip server(ipa1.idm.example.com
> <http://ipa1.idm.example.com>) but on centos 7 it works fine.
>
> All ports are allowed and accessible from client side
>
> Can you please share what the exactly problem is and how it can
> be fixed ?
>
>
> TASK [Enroll host to FreeIPA]
>
**************************************************************************************************************************
>
> failed: [sherwin-centos6-test.example.com
> <http://sherwin-centos6-test.example.com>]
> (item=ipa1.idm.example.com <http://ipa1.idm.example.com>) =>
> {"ansible_loop_var": "item", "changed": false,
"cmd":
> ["ipa-client-install", "-U", "-w",
"8ekh0Y", "--mkhomedir",
> "--hostname", "sherwin-centos6-test.example.com
> <http://sherwin-centos6-test.example.com>";,
"--ntp-server",
> "169.254.169.123", "--domain", "idm.example.com
> <http://idm.example.com>";, "--realm",
"IDM.EXAMPLE.COM
> <http://IDM.EXAMPLE.COM>";, "--server",
"ipa1.idm.example.com
> <http://ipa1.idm.example.com>"], "delta":
"0:00:00.202857",
> "end": "2020-04-16 10:29:37.411081",
"failed_when_result": true,
> "item": "ipa1.idm.example.com
<http://ipa1.idm.example.com>";,
> "msg": "non-zero return code", "rc": 1,
"start": "2020-04-16
> 10:29:37.208224", "stderr": "LDAP Error: Connect error:
TLS
> error -8172:Peer's certificate issuer has been marked as not
> trusted by the user.\nLDAP Error: Connect error: TLS error
> -8172:Peer's certificate issuer has been marked as not trusted
> by the user.\nFailed to verify that ipa1.idm.example.com
> <http://ipa1.idm.example.com> is an IPA Server.\nThis may mean
> that the remote server is not up or is not reachable due to
> network or firewall settings.\nPlease make sure the following
> ports are opened in the firewall settings:\n TCP: 80, 88, 389\n
> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\nAlso
> note that following ports are necessary for ipa-client working
> properly after enrollment:\n TCP: 464\n UDP: 464, 123 (if NTP
> enabled)\nInstallation failed. Rolling back changes.\nIPA client
> is not configured on this system.", "stderr_lines":
["LDAP
> Error: Connect error: TLS error -8172:Peer's certificate issuer
> has been marked as not trusted by the user.", "LDAP Error:
> Connect error: TLS error -8172:Peer's certificate issuer has
> been marked as not trusted by the user.", "Failed to verify that
> ipa1.idm.example.com <http://ipa1.idm.example.com> is an IPA
> Server.", "This may mean that the remote server is not up or is
> not reachable due to network or firewall settings.", "Please
> make sure the following ports are opened in the firewall
> settings:", " TCP: 80, 88, 389", " UDP: 88 (at least one
of
> TCP/UDP ports 88 has to be open)", "Also note that following
> ports are necessary for ipa-client working properly after
> enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP
enabled)",
> "Installation failed. Rolling back changes.", "IPA client is
not
> configured on this system."], "stdout":
"\u001b[?1034h",
> "stdout_lines": ["\u001b[?1034h"]}
>
>
>
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
>
>
> --
> Rafael Guterres Jeffman
> Senior Software Engineer
> FreeIPA - Red Hat
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
1470
days inactive
1471
days old
freeipa-users@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
Faraz Younus -
Florence Blanc-Renaud -
Rafael Jeffman