ipa-client-2.1.3-5.el5_9.2
ipa : ERROR Cannot obtain CA certificate 'ldap://ipa1.example.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system.
Current workaround is:
wget -O /etc/ipa/ca.crthttp://ipa1.example.com/ipa/config/ca.crt
ipa-client-install --no-ntp --mkhomedir --ca-cert-file=/etc/ipa/ca.crt
From the client install log:
2013-02-19T02:01:37Z DEBUG args=kinit ipa-bind@EXAMPLE.COM 2013-02-19T02:01:37Z DEBUG stdout=Password for ipa-bind@EXAMPLE.COM: 2013-02-19T02:01:37Z DEBUG stderr= 2013-02-19T02:01:37Z DEBUG trying to retrieve CA cert via LDAP from ldap://ipa1.example.com 2013-02-19T02:01:37Z DEBUG get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/COM@EXAMPLE.COM not found in Kerberos database) 2013-02-19T02:01:37Z DEBUG {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/COM@EXAMPLE.COM not found in Kerberos database)', 'desc': 'Local error'} 2013-02-19T02:01:37Z ERROR Cannot obtain CA certificate 'ldap://ipa1.example.com' doesn't have a certificate. 2013-02-19T02:01:37Z DEBUG args=kdestroy 2013-02-19T02:01:37Z DEBUG stdout= 2013-02-19T02:01:37Z DEBUG stderr=
May be related to ticket 3477
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=947889
Closing as this doesn't affect upstream.
The plugin to update the CA was fixed in master in ticket https://fedorahosted.org/freeipa/ticket/3477
Rename component.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.2 - 2013/04 (Beta)
Login to comment on this ticket.