Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1262718
Description of problem: When ipa-client-install --request-cert is run, it fails to retrieve the host certificate. Version-Release number of selected component (if applicable): ipa-server-4.2.0-9.el7.x86_64 ipa-client-4.2.0-9.el7.x86_64 The same output with RHEL 7.1 client as well: ipa-client-4.1.0-18.el7.x86_64 How reproducible: Tried once. Steps to Reproduce: 1. Install IdM server, ipa-server-4.2.0-9.el7.x86_64. 2. On another machine, install IPA client, tried with ipa-client-4.2.0-9.el7.x86_64 and ipa-client-4.1.0-18.el7.x86_64. 3. On the client, run ipa-client-install --server ipa.example.test --domain testrelm.test --request-cert Actual results: ipa-client-passes but /var/log/ipaclient-install.log says 2015-09-14T07:44:30Z ERROR certmonger request for host certificate failed and IdM for that host says Host Certificate Certificate: No Valid Certificate Also, # certutil -d /etc/ipa/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI TESTRELM.TEST IPA CA CT,C,C Expected results: Based on man ipa-client-install, --request-cert Request certificate for the machine. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host". So that certutil -L should list "Local IPA host". Additional info: First pointed out at https://www.redhat.com/archives/freeipa-users/2015-September/msg00163.html
The issue is in selinux-policy. Kept as a tracking ticket.
Minimum required version of selinux-policy should be updated when the policy is updated.
FreeIPA 4.2.2 was released. Moving to next bug-fixing milestone.
FreeIPA 4.2.3 was released, moving to next bug fixing milestone.
related bugzilla was closed.
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.