https://bugzilla.redhat.com/show_bug.cgi?id=880537 (freeIPA)
Description of problem: I found problem with joining ipa-client v2.1 to ipa-server v2.2. If ipa-server was installed with --external-ca i cannot connect centos/rhel 5.x clients to server because: # ipa-client-install --domain=MYDOMAIN --server=ipa1.MYDOMAIN --realm=MYDOMAIN -p admin -W --mkhomedir root : ERROR LDAP Error: Connect error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Failed to verify that ipa1.MYDOMAIN is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Installation failed. Rolling back changes. IPA client is not configured on this system. where ipa1.MYDOMAIN is ipa-server v2.2 centos6. Joining CentOS6/RHEL6 systems working fine. I've tested joining to test ipa server without external CA certification and all working fine on ipa-client 2.1.3 centos5/rhel5. Version-Release number of selected component (if applicable): Server: Centos 6.3, ipa-server 2.2.0 release 16.el6 Client: Centos 5.8, ipa-client 2.1.3 release 2.el5_8
The CA as distributed by IPA does not include the entire chain. This appears to be necessary for the RHEL-5 LDAP client.
A workaround is to add the external chain to /usr/share/ipa/html/ca.crt. This is the PEM file that is distributed during installation. I don't know if the order within the file matters, but I tested with the IPA CA as the last certificate listed.
Rename component.
Related to #3668.
This error is not known to happen with supported FreeIPA/IdM versions (3.3.x or later). I am thus closing this bug. Please feel free to reopen it if you can reproduce this bug with current FreeIPA/IdM versions.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: Future Releases
Login to comment on this ticket.