Trying to stand up a brand new IPA Server install on a brand new VM.
I am lightly obfuscating some strings out of respect for the client so their domain-name will say 'DOMAIN' in my email.
========== ~# cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=19.10 DISTRIB_CODENAME=eoan DISTRIB_DESCRIPTION="Ubuntu 19.10" ========== ~# ipa --version VERSION: 4.8.1, API_VERSION: 2.233 ==========
Having built a number of IPA Servers for various entities in the past, I've already got the requisite setup/prep stuff configured. - DNS Resolution in functioning forward/reverse - /etc/hosts is set correctly to point to the public IPv4 and IPv6 interface IPs. - hostname is set to fqdn. - time is current and sync'd before any IPA commands are run
Issuing the following command to kick off the ipa-server-install process: ========== ipa-server-install --allow-zone-overlap -v -d --setup-dns --mkhomedir --auto-reverse -p XXXXX -a YYYYY --forwarder=2604:ZZZ::AAA -n ipa.DOMAIN.com -r IPA.DOMAIN.COM --hostname=`hostname` --ntp-pool=pool.ntp.org ==========
The server install process proceeds and succeeds up to the point: ========== [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Starting external process =====
Which is kicking off: ===== 2020-04-15T20:15:46Z DEBUG args=['/usr/sbin/ipa-client-install', '--on-master', '--unattended', '--domain', 'ipa.DOMAIN.com', '--server', 'sfca-do-ipa-1.ipa.DOMAIN.com', '--realm', 'IPA.DOMAIN.COM', '--hostname', 'sfca-do-ipa-1.ipa.DOMAIN.com', '--no-ntp', '--mkhomedir'] =====
The client setup portion fails every single time with the following error: ===== 2020-04-15T20:15:48Z ERROR cannot connect to 'https://sfca-do-ipa-1.ipa.DOMAIN.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076) =====
I've done some searching to see how other people have dealt with python throwing the CERTIFICATE_VERIFY_FAILED error, but nothing seems to make any difference in telling the ipa-client-install to respect the locally issued IPA Certs that are read during the setup process. Since some threads mention it helping, I've ensured the python-certifi package is installed and up to date. I've tried toggling between the version of python being used [the system default of python2.7 or python3.7]. Even though it should not make any difference, since the client is reading an IPA generated cert and complaining, but I've also rebuilt the /etc/ssl/certs store since some threads have mentioned this error having some relations [update-ca-certificates -f -v].
Any thoughts on how to get past the ipa-client-install section failing on this? This server setup is -so- close to being complete.
Cheers, -Chris
freeipa-users@lists.fedorahosted.org