Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1011399
After dealing with https://bugzilla.redhat.com/show_bug.cgi?id=1011396 , I was finding my ipa-client-install runs failed with this error: * NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN) * Unable to communicate securely with peer: requested domain name does not match the server's certificate. * Closing connection 0 libcurl failed to execute the HTTP POST transaction, explaining: Unable to communicate securely with peer: requested domain name does not match the server's certificate. full log at http://fpaste.org/41762/87921/ , till it expires. It turns out that the problem was in my DNS SRV records. I'm using external DNS (I couldn't come up with a configuration where the freeipa box was a DNS server that really worked great for my weird case) so I had to hand-create the correct records based on the example BIND zone file the ipa-server-install gave me, and what I did wrong was to make the target just 'id' rather than 'id.happyassassin.net' (many thanks to ab on IRC for figuring this out). Docs I found on the SRV format indicated that just the hostname rather than the FQDN was valid, but apparently for freeipa purposes it has to be the FQDN. Correcting the SRV records to point to 'id.happyassassin.net' made it happy. ab and mkosek think ipa-client-install might be able to catch this issue and print a more helpful error, so I'm filing this bug report to suggest that.
Metadata Update from @mkosek: - Issue assigned to someone - Issue set to the milestone: Future Releases
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.