While building a new freeipa server in AWS I got this error:2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE)2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE)2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information I did some research and found this is possibly related to version 4.5.0? I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing? Do you know when 4.6.x will be released to epel/amazon? Thank you,Andrew
Andrew Meyer via FreeIPA-users wrote:
While building a new freeipa server in AWS I got this error: 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I did some research and found this is possibly related to version 4.5.0?
Probably not. Run getcert-list to hopefully get more context to the error.
I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing?
Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many important changes are backported so in RHEL you can never really rely on the version.
rob
[ec2-user@freeipa01 ~]$ sudo getcert listNumber of certificates and requests being tracked: 1.Request ID '20180302161736': status: CA_UNREACHABLE ca-error: Error 58 connecting to https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview: Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: subject: expires: unknown pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes[ec2-user@freeipa01 ~]$
On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
While building a new freeipa server in AWS I got this error: 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I did some research and found this is possibly related to version 4.5.0?
Probably not. Run getcert-list to hopefully get more context to the error.
I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing?
Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many important changes are backported so in RHEL you can never really rely on the version.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Andrew Meyer via FreeIPA-users wrote:
[ec2-user@freeipa01 ~]$ sudo getcert list Number of certificates and requests being tracked: 1. Request ID '20180302161736': status: CA_UNREACHABLE ca-error: Error 58 connecting to https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview: Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: subject: expires: unknown pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes [ec2-user@freeipa01 ~]$
What distro are you running? Is curl linked with NSS or OpenSSL?
rob
On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
While building a new freeipa server in AWS I got this error: 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I did some research and found this is possibly related to version 4.5.0?
Probably not. Run getcert-list to hopefully get more context to the error.
I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing?
Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many important changes are backported so in RHEL you can never really rely on the version.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Its Amazon Linux 2. I also suspect its because FreeIPA is not authoritative for the zone. Which will throw things off. Mgmt would like to use the .com zone but have R53 manage it.
On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
[ec2-user@freeipa01 ~]$ sudo getcert list Number of certificates and requests being tracked: 1. Request ID '20180302161736': status: CA_UNREACHABLE ca-error: Error 58 connecting to https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview: Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: subject: expires: unknown pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes [ec2-user@freeipa01 ~]$
What distro are you running? Is curl linked with NSS or OpenSSL?
rob
On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
While building a new freeipa server in AWS I got this error: 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I did some research and found this is possibly related to version 4.5.0?
Probably not. Run getcert-list to hopefully get more context to the error.
I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing?
Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many important changes are backported so in RHEL you can never really rely on the version.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Andrew Meyer via FreeIPA-users wrote:
Its Amazon Linux 2.
You didn't fully answer the question.
Someone just yesterday on IRC was having problems with 4.5 in Amazon Linux and it was failing due to fact that the linkage of libcurl incorrect. For the IPA RHEL bits to work it needs to be linked against NSS, not OpenSSL.
I also suspect its because FreeIPA is not authoritative for the zone. Which will throw things off. Mgmt would like to use the .com zone but have R53 manage it.
I don't think this is it. It isn't complaining about not being able to read the server but that it is having issues with its certificate.
rob
On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
[ec2-user@freeipa01 mailto:ec2-user@freeipa01 ~]$ sudo getcert list Number of certificates and requests being tracked: 1. Request ID '20180302161736': status: CA_UNREACHABLE ca-error: Error 58 connecting to
https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: subject: expires: unknown pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes [ec2-user@freeipa01 mailto:ec2-user@freeipa01 ~]$
What distro are you running? Is curl linked with NSS or OpenSSL?
rob
On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org> wrote:
Andrew Meyer via FreeIPA-users wrote:
While building a new freeipa server in AWS I got this error: 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I did some research and found this is possibly related to version 4.5.0?
Probably not. Run getcert-list to hopefully get more context to the error.
I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing?
Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many important changes are backported so in RHEL you can never really rely on the version.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Unfortunately I don't know if its linked with OpenSSL or NSS. How would I tell? Is it a symlink?
On Friday, March 2, 2018 1:32 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
Its Amazon Linux 2.
You didn't fully answer the question.
Someone just yesterday on IRC was having problems with 4.5 in Amazon Linux and it was failing due to fact that the linkage of libcurl incorrect. For the IPA RHEL bits to work it needs to be linked against NSS, not OpenSSL.
I also suspect its because FreeIPA is not authoritative for the zone. Which will throw things off. Mgmt would like to use the .com zone but have R53 manage it.
I don't think this is it. It isn't complaining about not being able to read the server but that it is having issues with its certificate.
rob
On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
[ec2-user@freeipa01 mailto:ec2-user@freeipa01 ~]$ sudo getcert list Number of certificates and requests being tracked: 1. Request ID '20180302161736': status: CA_UNREACHABLE ca-error: Error 58 connecting to
https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: subject: expires: unknown pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes [ec2-user@freeipa01 mailto:ec2-user@freeipa01 ~]$
What distro are you running? Is curl linked with NSS or OpenSSL?
rob
On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org> wrote:
Andrew Meyer via FreeIPA-users wrote:
While building a new freeipa server in AWS I got this error: 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I did some research and found this is possibly related to version 4.5.0?
Probably not. Run getcert-list to hopefully get more context to the error.
I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing?
Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many important changes are backported so in RHEL you can never really rely on the version.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Andrew Meyer via FreeIPA-users wrote:
Unfortunately I don't know if its linked with OpenSSL or NSS. How would I tell? Is it a symlink?
curl -V
On Friday, March 2, 2018 1:32 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
Its Amazon Linux 2.
You didn't fully answer the question.
Someone just yesterday on IRC was having problems with 4.5 in Amazon Linux and it was failing due to fact that the linkage of libcurl incorrect. For the IPA RHEL bits to work it needs to be linked against NSS, not OpenSSL.
I also suspect its because FreeIPA is not authoritative for the zone. Which will throw things off. Mgmt would like to use the .com zone but have R53 manage it.
I don't think this is it. It isn't complaining about not being able to read the server but that it is having issues with its certificate.
rob
On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org> wrote:
Andrew Meyer via FreeIPA-users wrote:
[ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01> ~]$ sudo getcert list
Number of certificates and requests being tracked: 1. Request ID '20180302161736': status: CA_UNREACHABLE ca-error: Error 58 connecting to
https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: subject: expires: unknown pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes [ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01> ~]$
What distro are you running? Is curl linked with NSS or OpenSSL?
rob
On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Andrew Meyer via FreeIPA-users wrote:
While building a new freeipa server in AWS I got this error: 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I did some research and found this is possibly related to version
4.5.0?
Probably not. Run getcert-list to hopefully get more context to the
error.
I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing?
Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many important changes are backported so in RHEL you can never really rely on the version.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
[ec2-user@freeipa01 ~]$ curl -Vcurl 7.55.1 (x86_64-koji-linux-gnu) libcurl/7.55.1 OpenSSL/1.0.2k zlib/1.2.7 libidn2/2.0.4 libssh2/1.4.3 nghttp2/1.25.0Release-Date: 2017-08-14Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftpFeatures: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy Metalink[ec2-user@freeipa01 ~]$
On Friday, March 2, 2018 3:07 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
Unfortunately I don't know if its linked with OpenSSL or NSS. How would I tell? Is it a symlink?
curl -V
On Friday, March 2, 2018 1:32 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
Its Amazon Linux 2.
You didn't fully answer the question.
Someone just yesterday on IRC was having problems with 4.5 in Amazon Linux and it was failing due to fact that the linkage of libcurl incorrect. For the IPA RHEL bits to work it needs to be linked against NSS, not OpenSSL.
I also suspect its because FreeIPA is not authoritative for the zone. Which will throw things off. Mgmt would like to use the .com zone but have R53 manage it.
I don't think this is it. It isn't complaining about not being able to read the server but that it is having issues with its certificate.
rob
On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org> wrote:
Andrew Meyer via FreeIPA-users wrote:
[ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01> ~]$ sudo getcert list
Number of certificates and requests being tracked: 1. Request ID '20180302161736': status: CA_UNREACHABLE ca-error: Error 58 connecting to
https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: subject: expires: unknown pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes [ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01> ~]$
What distro are you running? Is curl linked with NSS or OpenSSL?
rob
On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Andrew Meyer via FreeIPA-users wrote:
While building a new freeipa server in AWS I got this error: 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I did some research and found this is possibly related to version
4.5.0?
Probably not. Run getcert-list to hopefully get more context to the
error.
I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing?
Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many important changes are backported so in RHEL you can never really rely on the version.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Andrew Meyer wrote:
[ec2-user@freeipa01 ~]$ curl -V curl 7.55.1 (x86_64-koji-linux-gnu) libcurl/7.55.1 OpenSSL/1.0.2k zlib/1.2.7 libidn2/2.0.4 libssh2/1.4.3 nghttp2/1.25.0 Release-Date: 2017-08-14 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy Metalink [ec2-user@freeipa01 ~]$
It is linked against OpenSSL which won't work with IPA 4.5.x.
You'll need to use a different distro.
rob
On Friday, March 2, 2018 3:07 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
Unfortunately I don't know if its linked with OpenSSL or NSS. How would I tell? Is it a symlink?
curl -V
On Friday, March 2, 2018 1:32 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org> wrote:
Andrew Meyer via FreeIPA-users wrote:
Its Amazon Linux 2.
You didn't fully answer the question.
Someone just yesterday on IRC was having problems with 4.5 in Amazon Linux and it was failing due to fact that the linkage of libcurl incorrect. For the IPA RHEL bits to work it needs to be linked against NSS, not OpenSSL.
I also suspect its because FreeIPA is not authoritative for the zone. Which will throw things off. Mgmt would like to use the .com zone but have R53 manage it.
I don't think this is it. It isn't complaining about not being able to read the server but that it is having issues with its certificate.
rob
On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Andrew Meyer via FreeIPA-users wrote:
[ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>> ~]$ sudo getcert
list
Number of certificates and requests being tracked: 1. Request ID '20180302161736': status: CA_UNREACHABLE ca-error: Error 58 connecting to
https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: subject: expires: unknown pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes [ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>> ~]$
What distro are you running? Is curl linked with NSS or OpenSSL?
rob
On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
Andrew Meyer via FreeIPA-users wrote:
While building a new freeipa server in AWS I got this error: 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I did some research and found this is possibly related to version
4.5.0?
Probably not. Run getcert-list to hopefully get more context to the
error.
I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing?
Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many important changes are backported so in RHEL you can never really rely on the version.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
Somehow it works as a client machine and then can be promoted to a replica.
On Friday, March 2, 2018 4:51 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer wrote:
[ec2-user@freeipa01 ~]$ curl -V curl 7.55.1 (x86_64-koji-linux-gnu) libcurl/7.55.1 OpenSSL/1.0.2k zlib/1.2.7 libidn2/2.0.4 libssh2/1.4.3 nghttp2/1.25.0 Release-Date: 2017-08-14 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy Metalink [ec2-user@freeipa01 ~]$
It is linked against OpenSSL which won't work with IPA 4.5.x.
You'll need to use a different distro.
rob
On Friday, March 2, 2018 3:07 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
Unfortunately I don't know if its linked with OpenSSL or NSS. How would I tell? Is it a symlink?
curl -V
On Friday, March 2, 2018 1:32 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org> wrote:
Andrew Meyer via FreeIPA-users wrote:
Its Amazon Linux 2.
You didn't fully answer the question.
Someone just yesterday on IRC was having problems with 4.5 in Amazon Linux and it was failing due to fact that the linkage of libcurl incorrect. For the IPA RHEL bits to work it needs to be linked against NSS, not OpenSSL.
I also suspect its because FreeIPA is not authoritative for the zone. Which will throw things off. Mgmt would like to use the .com zone but have R53 manage it.
I don't think this is it. It isn't complaining about not being able to read the server but that it is having issues with its certificate.
rob
On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Andrew Meyer via FreeIPA-users wrote:
[ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>> ~]$ sudo getcert
list
Number of certificates and requests being tracked: 1. Request ID '20180302161736': status: CA_UNREACHABLE ca-error: Error 58 connecting to
https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: subject: expires: unknown pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes [ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>> ~]$
What distro are you running? Is curl linked with NSS or OpenSSL?
rob
On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
Andrew Meyer via FreeIPA-users wrote:
While building a new freeipa server in AWS I got this error: 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I did some research and found this is possibly related to version
4.5.0?
Probably not. Run getcert-list to hopefully get more context to the
error.
I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing?
Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many important changes are backported so in RHEL you can never really rely on the version.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On ma, 05 maalis 2018, Andrew Meyer via FreeIPA-users wrote:
Somehow it works as a client machine and then can be promoted to a replica.
If you are really interested in getting Amazon Linux supported with FreeIPA, I'm afraid you are looking at a wrong venue for support.
Any issues like this need to be raised with Amazon Linux support team. If they choose to fix them, they would come with fixes upstream, if needed. So far, what we see are actual bugs in their packaging. Or, perhaps, neglecting of the needs of FreeIPA since Amazon Linux for long did not care about being an IPA client or server.
FreeIPA is an integration project, with a lot of work to be done on the OS distribution side. You might not realise or see majority of this work but it is something that 1) has to happen, 2) happens anyway, 3) is not really visualized other than watching for changes in hundreds of related packages in a particular distribution. Coordinating these changes across a single distribution is hard enough. Coordinating them in a distribution without known contribution process is impossible.
This is said with my FreeIPA hat on. I'd really love to see other distributions to gain better FreeIPA support but, frankly, until whoever interested in the use and promotion of those distributions would invest their time and resources, chances aren't high in that there will not be a bumpy road for their users.
Amazon says that bug reports, feature requests, and everything else related to Amazon Linux use and development should come through https://forums.aws.amazon.com/forum.jspa?forumID=30
On Friday, March 2, 2018 4:51 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer wrote:
[ec2-user@freeipa01 ~]$ curl -V curl 7.55.1 (x86_64-koji-linux-gnu) libcurl/7.55.1 OpenSSL/1.0.2k zlib/1.2.7 libidn2/2.0.4 libssh2/1.4.3 nghttp2/1.25.0 Release-Date: 2017-08-14 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy Metalink [ec2-user@freeipa01 ~]$
It is linked against OpenSSL which won't work with IPA 4.5.x.
You'll need to use a different distro.
rob
On Friday, March 2, 2018 3:07 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
Unfortunately I don't know if its linked with OpenSSL or NSS. How would I tell? Is it a symlink?
curl -V
On Friday, March 2, 2018 1:32 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org> wrote:
Andrew Meyer via FreeIPA-users wrote:
Its Amazon Linux 2.
You didn't fully answer the question.
Someone just yesterday on IRC was having problems with 4.5 in Amazon Linux and it was failing due to fact that the linkage of libcurl incorrect. For the IPA RHEL bits to work it needs to be linked against NSS, not OpenSSL.
I also suspect its because FreeIPA is not authoritative for the zone. Which will throw things off. Mgmt would like to use the .com zone but have R53 manage it.
I don't think this is it. It isn't complaining about not being able to read the server but that it is having issues with its certificate.
rob
On Friday, March 2, 2018 10:32 AM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Andrew Meyer via FreeIPA-users wrote:
[ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>> ~]$ sudo getcert
list
Number of certificates and requests being tracked: 1. Request ID '20180302161736': status: CA_UNREACHABLE ca-error: Error 58 connecting to
https://freeipa01.east.ipa.gatewayblend.com:8443/ca/agent/ca//profileReview:
Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: subject: expires: unknown pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes [ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01
<mailto:ec2-user@freeipa01 mailto:ec2-user@freeipa01>> ~]$
What distro are you running? Is curl linked with NSS or OpenSSL?
rob
On Thursday, March 1, 2018 3:29 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
Andrew Meyer via FreeIPA-users wrote:
While building a new freeipa server in AWS I got this error: 2018-03-01T18:15:49Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR Certificate issuance failed (CA_UNREACHABLE) 2018-03-01T18:15:49Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I did some research and found this is possibly related to version
4.5.0?
Probably not. Run getcert-list to hopefully get more context to the
error.
I have a host entry in /etc/hosts but that didn't seem to fix the problem. Is there something else I'm missing?
Do you know when 4.6.x will be released to epel/amazon?
The usual cause for version lag in RHEL is missing dependencies. Many important changes are backported so in RHEL you can never really rely on the version.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org
mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
mailto:freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Andrew Meyer -
Rob Crittenden