Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1011396
If you run ipa-client-install and it fails for some reason after creating /etc/ipa/ca.crt , then it does not remove that file when it tries to clean up after itself before quitting. This results in all subsequent runs failing to auto-discover the server, with a rather cryptic error: Error checking LDAP: Connect error: TLS error -8157:Certificate extension not found. it was just impossible to debug this without the very much appreciated help of ab and mkosek in #freeipa. Suggestions: the 'clean up process' for failed ipa-client-install runs should wipe that file, and perhaps (I don't know enough to know if this makes sense) ipa-client-install should check if that file exists if its auto-discovery process fails, and warn the user that its presence might be the problem.
Added warning message if '/etc/ipa/ca.cert' exists.
master: c49cf95
ipa-3-3: 00a4ad2
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1108209
Metadata Update from @mkosek: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.0 - 2013/10
Login to comment on this ticket.