Hi Team,
I'm trying to add client with hostname abc.example.com on freeip server( ipa1.idm.example.com) but on centos 7 it works fine.
All ports are allowed and accessible from client side
Can you please share what the exactly problem is and how it can be fixed ?
TASK [Enroll host to FreeIPA] **************************************************************************************************************************
failed: [sherwin-centos6-test.example.com] (item=ipa1.idm.example.com) => {"ansible_loop_var": "item", "changed": false, "cmd": ["ipa-client-install", "-U", "-w", "8ekh0Y", "--mkhomedir", "--hostname", " sherwin-centos6-test.example.com", "--ntp-server", "169.254.169.123", "--domain", "idm.example.com", "--realm", "IDM.EXAMPLE.COM", "--server", " ipa1.idm.example.com"], "delta": "0:00:00.202857", "end": "2020-04-16 10:29:37.411081", "failed_when_result": true, "item": "ipa1.idm.example.com", "msg": "non-zero return code", "rc": 1, "start": "2020-04-16 10:29:37.208224", "stderr": "LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.\nLDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.\nFailed to verify that ipa1.idm.example.com is an IPA Server.\nThis may mean that the remote server is not up or is not reachable due to network or firewall settings.\nPlease make sure the following ports are opened in the firewall settings:\n TCP: 80, 88, 389\n UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\nAlso note that following ports are necessary for ipa-client working properly after enrollment:\n TCP: 464\n UDP: 464, 123 (if NTP enabled)\nInstallation failed. Rolling back changes.\nIPA client is not configured on this system.", "stderr_lines": ["LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", "LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", "Failed to verify that ipa1.idm.example.com is an IPA Server.", "This may mean that the remote server is not up or is not reachable due to network or firewall settings.", "Please make sure the following ports are opened in the firewall settings:", " TCP: 80, 88, 389", " UDP: 88 (at least one of TCP/UDP ports 88 has to be open)", "Also note that following ports are necessary for ipa-client working properly after enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP enabled)", "Installation failed. Rolling back changes.", "IPA client is not configured on this system."], "stdout": "\u001b[?1034h", "stdout_lines": ["\u001b[?1034h"]}
Hello,
Is this using ansible-freeipa roles? If so, you'll need RHEL/CentOS 7.4+ for it to work.
Rafael
On Thu, Apr 16, 2020 at 7:41 AM Faraz Younus via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi Team,
I'm trying to add client with hostname abc.example.com on freeip server( ipa1.idm.example.com) but on centos 7 it works fine.
All ports are allowed and accessible from client side
Can you please share what the exactly problem is and how it can be fixed ?
TASK [Enroll host to FreeIPA]
failed: [sherwin-centos6-test.example.com] (item=ipa1.idm.example.com) => {"ansible_loop_var": "item", "changed": false, "cmd": ["ipa-client-install", "-U", "-w", "8ekh0Y", "--mkhomedir", "--hostname", " sherwin-centos6-test.example.com", "--ntp-server", "169.254.169.123", "--domain", "idm.example.com", "--realm", "IDM.EXAMPLE.COM", "--server", " ipa1.idm.example.com"], "delta": "0:00:00.202857", "end": "2020-04-16 10:29:37.411081", "failed_when_result": true, "item": " ipa1.idm.example.com", "msg": "non-zero return code", "rc": 1, "start": "2020-04-16 10:29:37.208224", "stderr": "LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.\nLDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.\nFailed to verify that ipa1.idm.example.com is an IPA Server.\nThis may mean that the remote server is not up or is not reachable due to network or firewall settings.\nPlease make sure the following ports are opened in the firewall settings:\n TCP: 80, 88, 389\n UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\nAlso note that following ports are necessary for ipa-client working properly after enrollment:\n TCP: 464\n UDP: 464, 123 (if NTP enabled)\nInstallation failed. Rolling back changes.\nIPA client is not configured on this system.", "stderr_lines": ["LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", "LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", "Failed to verify that ipa1.idm.example.com is an IPA Server.", "This may mean that the remote server is not up or is not reachable due to network or firewall settings.", "Please make sure the following ports are opened in the firewall settings:", " TCP: 80, 88, 389", " UDP: 88 (at least one of TCP/UDP ports 88 has to be open)", "Also note that following ports are necessary for ipa-client working properly after enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP enabled)", "Installation failed. Rolling back changes.", "IPA client is not configured on this system."], "stdout": "\u001b[?1034h", "stdout_lines": ["\u001b[?1034h"]}
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
No its not the role , i'm using command module
ipa-client-install -U -w {{ freeipa_temp_kerberos_password }} --mkhomedir --hostname {{ freeipa_client_hostname }} --ntp-server {{ ipaclient_ntp_servers }} --domain {{ ipaclient_domain }} --realm {{ ipaclient_realm }} --server {{ servername }}"
On Thu, Apr 16, 2020 at 5:45 PM Rafael Jeffman rjeffman@redhat.com wrote:
Hello,
Is this using ansible-freeipa roles? If so, you'll need RHEL/CentOS 7.4+ for it to work.
Rafael
On Thu, Apr 16, 2020 at 7:41 AM Faraz Younus via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi Team,
I'm trying to add client with hostname abc.example.com on freeip server( ipa1.idm.example.com) but on centos 7 it works fine.
All ports are allowed and accessible from client side
Can you please share what the exactly problem is and how it can be fixed ?
TASK [Enroll host to FreeIPA]
failed: [sherwin-centos6-test.example.com] (item=ipa1.idm.example.com) => {"ansible_loop_var": "item", "changed": false, "cmd": ["ipa-client-install", "-U", "-w", "8ekh0Y", "--mkhomedir", "--hostname", " sherwin-centos6-test.example.com", "--ntp-server", "169.254.169.123", "--domain", "idm.example.com", "--realm", "IDM.EXAMPLE.COM", "--server", "ipa1.idm.example.com"], "delta": "0:00:00.202857", "end": "2020-04-16 10:29:37.411081", "failed_when_result": true, "item": " ipa1.idm.example.com", "msg": "non-zero return code", "rc": 1, "start": "2020-04-16 10:29:37.208224", "stderr": "LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.\nLDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.\nFailed to verify that ipa1.idm.example.com is an IPA Server.\nThis may mean that the remote server is not up or is not reachable due to network or firewall settings.\nPlease make sure the following ports are opened in the firewall settings:\n TCP: 80, 88, 389\n UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\nAlso note that following ports are necessary for ipa-client working properly after enrollment:\n TCP: 464\n UDP: 464, 123 (if NTP enabled)\nInstallation failed. Rolling back changes.\nIPA client is not configured on this system.", "stderr_lines": ["LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", "LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", "Failed to verify that ipa1.idm.example.com is an IPA Server.", "This may mean that the remote server is not up or is not reachable due to network or firewall settings.", "Please make sure the following ports are opened in the firewall settings:", " TCP: 80, 88, 389", " UDP: 88 (at least one of TCP/UDP ports 88 has to be open)", "Also note that following ports are necessary for ipa-client working properly after enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP enabled)", "Installation failed. Rolling back changes.", "IPA client is not configured on this system."], "stdout": "\u001b[?1034h", "stdout_lines": ["\u001b[?1034h"]}
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
On 4/16/20 2:54 PM, Faraz Younus via FreeIPA-users wrote:
No its not the role , i'm using command module
ipa-client-install -U -w {{ freeipa_temp_kerberos_password }} --mkhomedir --hostname {{ freeipa_client_hostname }} --ntp-server {{ ipaclient_ntp_servers }} --domain {{ ipaclient_domain }} --realm {{ ipaclient_realm }} --server {{ servername }}"
Hi, you can access the client installation logs on the machine if you want to troubleshoot (/var/log/ipaclient-install.log). From your output we can see: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
Is there an existing /etc/ipa/ca.crt file on the client? If yes, does it contain your IdM CA cert? On CentOS 6, ipa client version is 3.x and IIRC the installer does not support multiple CAs. On the server, does /etc/ipa/ca.crt contain multiple certs?
flo
On Thu, Apr 16, 2020 at 5:45 PM Rafael Jeffman <rjeffman@redhat.com mailto:rjeffman@redhat.com> wrote:
Hello, Is this using ansible-freeipa roles? If so, you'll need RHEL/CentOS 7.4+ for it to work. Rafael On Thu, Apr 16, 2020 at 7:41 AM Faraz Younus via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hi Team, I'm trying to add client with hostname abc.example.com <http://abc.example.com> on freeip server(ipa1.idm.example.com <http://ipa1.idm.example.com>) but on centos 7 it works fine. All ports are allowed and accessible from client side Can you please share what the exactly problem is and how it can be fixed ? TASK [Enroll host to FreeIPA] ************************************************************************************************************************** failed: [sherwin-centos6-test.example.com <http://sherwin-centos6-test.example.com>] (item=ipa1.idm.example.com <http://ipa1.idm.example.com>) => {"ansible_loop_var": "item", "changed": false, "cmd": ["ipa-client-install", "-U", "-w", "8ekh0Y", "--mkhomedir", "--hostname", "sherwin-centos6-test.example.com <http://sherwin-centos6-test.example.com>", "--ntp-server", "169.254.169.123", "--domain", "idm.example.com <http://idm.example.com>", "--realm", "IDM.EXAMPLE.COM <http://IDM.EXAMPLE.COM>", "--server", "ipa1.idm.example.com <http://ipa1.idm.example.com>"], "delta": "0:00:00.202857", "end": "2020-04-16 10:29:37.411081", "failed_when_result": true, "item": "ipa1.idm.example.com <http://ipa1.idm.example.com>", "msg": "non-zero return code", "rc": 1, "start": "2020-04-16 10:29:37.208224", "stderr": "LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.\nLDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.\nFailed to verify that ipa1.idm.example.com <http://ipa1.idm.example.com> is an IPA Server.\nThis may mean that the remote server is not up or is not reachable due to network or firewall settings.\nPlease make sure the following ports are opened in the firewall settings:\n TCP: 80, 88, 389\n UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\nAlso note that following ports are necessary for ipa-client working properly after enrollment:\n TCP: 464\n UDP: 464, 123 (if NTP enabled)\nInstallation failed. Rolling back changes.\nIPA client is not configured on this system.", "stderr_lines": ["LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", "LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", "Failed to verify that ipa1.idm.example.com <http://ipa1.idm.example.com> is an IPA Server.", "This may mean that the remote server is not up or is not reachable due to network or firewall settings.", "Please make sure the following ports are opened in the firewall settings:", " TCP: 80, 88, 389", " UDP: 88 (at least one of TCP/UDP ports 88 has to be open)", "Also note that following ports are necessary for ipa-client working properly after enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP enabled)", "Installation failed. Rolling back changes.", "IPA client is not configured on this system."], "stdout": "\u001b[?1034h", "stdout_lines": ["\u001b[?1034h"]} _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks Florence !! I already have one certificate on client server I removed that and it worked
On Thu, Apr 16, 2020 at 9:50 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 4/16/20 2:54 PM, Faraz Younus via FreeIPA-users wrote:
No its not the role , i'm using command module
ipa-client-install -U -w {{ freeipa_temp_kerberos_password }} --mkhomedir --hostname {{ freeipa_client_hostname }} --ntp-server {{ ipaclient_ntp_servers }} --domain {{ ipaclient_domain }} --realm {{ ipaclient_realm }} --server {{ servername }}"
Hi, you can access the client installation logs on the machine if you want to troubleshoot (/var/log/ipaclient-install.log). From your output we can see: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
Is there an existing /etc/ipa/ca.crt file on the client? If yes, does it contain your IdM CA cert? On CentOS 6, ipa client version is 3.x and IIRC the installer does not support multiple CAs. On the server, does /etc/ipa/ca.crt contain multiple certs?
flo
On Thu, Apr 16, 2020 at 5:45 PM Rafael Jeffman <rjeffman@redhat.com mailto:rjeffman@redhat.com> wrote:
Hello, Is this using ansible-freeipa roles? If so, you'll need RHEL/CentOS 7.4+ for it to work. Rafael On Thu, Apr 16, 2020 at 7:41 AM Faraz Younus via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hi Team, I'm trying to add client with hostname abc.example.com <http://abc.example.com> on freeip server(ipa1.idm.example.com <http://ipa1.idm.example.com>) but on centos 7 it works fine. All ports are allowed and accessible from client side Can you please share what the exactly problem is and how it can be fixed ? TASK [Enroll host to FreeIPA]
failed: [sherwin-centos6-test.example.com <http://sherwin-centos6-test.example.com>] (item=ipa1.idm.example.com <http://ipa1.idm.example.com>) => {"ansible_loop_var": "item", "changed": false, "cmd": ["ipa-client-install", "-U", "-w", "8ekh0Y", "--mkhomedir", "--hostname", "sherwin-centos6-test.example.com <http://sherwin-centos6-test.example.com>", "--ntp-server", "169.254.169.123", "--domain", "idm.example.com <http://idm.example.com>", "--realm", "IDM.EXAMPLE.COM <http://IDM.EXAMPLE.COM>", "--server", "ipa1.idm.example.com <http://ipa1.idm.example.com>"], "delta": "0:00:00.202857", "end": "2020-04-16 10:29:37.411081", "failed_when_result": true, "item": "ipa1.idm.example.com <http://ipa1.idm.example.com>", "msg": "non-zero return code", "rc": 1, "start": "2020-04-16 10:29:37.208224", "stderr": "LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.\nLDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.\nFailed to verify that ipa1.idm.example.com <http://ipa1.idm.example.com> is an IPA Server.\nThis may mean that the remote server is not up or is not reachable due to network or firewall settings.\nPlease make sure the following ports are opened in the firewall settings:\n TCP: 80, 88, 389\n UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\nAlso note that following ports are necessary for ipa-client working properly after enrollment:\n TCP: 464\n UDP: 464, 123 (if NTP enabled)\nInstallation failed. Rolling back changes.\nIPA client is not configured on this system.", "stderr_lines": ["LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", "LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", "Failed to verify that ipa1.idm.example.com <http://ipa1.idm.example.com> is an IPA Server.", "This may mean that the remote server is not up or is not reachable due to network or firewall settings.", "Please make sure the following ports are opened in the firewall settings:", " TCP: 80, 88, 389", " UDP: 88 (at least one of TCP/UDP ports 88 has to be open)", "Also note that following ports are necessary for ipa-client working properly after enrollment:", " TCP: 464", " UDP: 464, 123 (if NTP enabled)", "Installation failed. Rolling back changes.", "IPA client is not configured on this system."], "stdout": "\u001b[?1034h", "stdout_lines": ["\u001b[?1034h"]} _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Faraz Younus -
Florence Blanc-Renaud -
Rafael Jeffman