Trying to stand up a brand new IPA Server install on a brand new VM.

I am lightly obfuscating some strings out of respect for the client so their domain-name will say 'DOMAIN' in my email.

========== ~# cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=19.10 DISTRIB_CODENAME=eoan DISTRIB_DESCRIPTION="Ubuntu 19.10" ========== ~# ipa --version VERSION: 4.8.1, API_VERSION: 2.233 ==========

Having built a number of IPA Servers for various entities in the past, I've already got the requisite setup/prep stuff configured.  - DNS Resolution in functioning forward/reverse - /etc/hosts is set correctly to point to the public IPv4 and IPv6 interface IPs. - hostname is set to fqdn. - time is current and sync'd before any IPA commands are run

Issuing the following command to kick off the ipa-server-install process: ========== ipa-server-install --allow-zone-overlap -v -d --setup-dns --mkhomedir --auto-reverse -p XXXXX -a YYYYY --forwarder=2604:ZZZ::AAA -n ipa.DOMAIN.com -r IPA.DOMAIN.COM --hostname=`hostname` --ntp-pool=pool.ntp.org ==========

The server install process proceeds and succeeds up to the point: ========== [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Starting external process =====

Which is kicking off: ===== 2020-04-15T20:15:46Z DEBUG args=['/usr/sbin/ipa-client-install', '--on-master', '--unattended', '--domain', 'ipa.DOMAIN.com', '--server', 'sfca-do-ipa-1.ipa.DOMAIN.com', '--realm', 'IPA.DOMAIN.COM', '--hostname', 'sfca-do-ipa-1.ipa.DOMAIN.com', '--no-ntp', '--mkhomedir'] =====

The client setup portion fails every single time with the following error: ===== 2020-04-15T20:15:48Z ERROR cannot connect to 'https://sfca-do-ipa-1.ipa.DOMAIN.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076) =====

I've done some searching to see how other people have dealt with python throwing the CERTIFICATE_VERIFY_FAILED error, but nothing seems to make any difference in telling the ipa-client-install to respect the locally issued IPA Certs that are read during the setup process.  Since some threads mention it helping, I've ensured the python-certifi package is installed and up to date.  I've tried toggling between the version of python being used [the system default of python2.7 or python3.7].  Even though it should not make any difference, since the client is reading an IPA generated cert and complaining, but I've also rebuilt the /etc/ssl/certs store since some threads have mentioned this error having some relations [update-ca-certificates -f -v].

Any thoughts on how to get past the ipa-client-install section failing on this?  This server setup is -so- close to being complete.

Cheers, -Chris