Hi, On Wed, Nov 2, 2022 at 2:39 PM Ronald Wimmer via FreeIPA-users < [email protected]> wrote:
> When trying to enroll some IPA clients (RHEL 7.9) I do get the following > error: > > Cannot obtain CA certificate > 'ldap://pipag01.linux.gleis.at' doesn't have a certificate. > Installation failed. Rolling back changes. > > LDAP(S)/HTTP(S) ports are open. > > What's going on here? How can I debug further? > >From the logs: 2022-11-02T12:30:47Z DEBUG trying to retrieve CA cert via LDAP from ipa01.linux.mydomain.at 2022-11-02T12:30:47Z DEBUG get_ca_certs_from_ldap() error: option error 2022-11-02T12:30:47Z DEBUG option error 2022-11-02T12:30:47Z ERROR Cannot obtain CA certificate 'ldap://ipa01.linux.mydomain.at' doesn't have a certificate. 2022-11-02T12:30:47Z ERROR Installation failed. Rolling back changes. The method get_ca_certs_from_ldap is trying to get the CA certs by performing a ldapsearch on the master similar to this one: ldapsearch -b cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=test "(&(objectClass=ipaCertificate)(objectClass=pkiCA))" If it fails, it falls back to the old way of storing the CA: ldapsearch -b cn=cacert,cn=ipa,cn=etc,$BASEDN The connection is authenticated using gssapi, using the credentials provided to ipa-client-install (admin in your case). You can try to correlate the failure with the access logs on the master (pick the timestamp from ipaclient-install.log and look for the search around the same time on the server in /var/log/dirsrv/slapd-xxx/access). Check if the search found any entry, and if not you can directly look in the LDAP tree. The CA certificate should be stored in an entry cn=<DOMAIN> IPA CA,cn=certificates,cn=ipa,cn=etc,$BASEDN. If you need help understanding the logs, let's take this example: [06/Nov/2022:15:49:05.008084651 +0000] conn=42 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [06/Nov/2022:15:49:05.011591350 +0000] conn=42 op=0 RESULT err=14 tag=97 nentries=0 etime=0.0003626879, SASL bind in progress [06/Nov/2022:15:49:05.012375581 +0000] conn=42 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [06/Nov/2022:15:49:05.013416089 +0000] conn=42 op=1 RESULT err=14 tag=97 nentries=0 etime=0.0001068280, SASL bind in progress [06/Nov/2022:15:49:05.014049230 +0000] conn=42 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [06/Nov/2022:15:49:05.014646574 +0000] conn=42 op=2 RESULT err=0 tag=97 nentries=0 etime=0.0000622033 dn="uid=admin,cn=users,cn=accounts,dc=ipa,dc=test" [06/Nov/2022:15:49:05.015254256 +0000] conn=42 op=3 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=test" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaPublicKey ipaCertIssuerSerial ipaKeyExtUsage ipaCertSubject cn cacertificate;binary ipaKeyTrust" [06/Nov/2022:15:49:05.015752516 +0000] conn=42 op=3 RESULT err=0 tag=101 nentries=1 etime=0.0000574052 I started by looking for a search targeting *cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=test* -> found on line 7. The search is using *conn=42* and corresponds to operation *op=3*. To find the result, look for a line with the same connection number and operation number -> line 8 with *conn=42 op=3 RESULT*. The result is success (*err=0*) and found 1 entry (*nentries=1*). To find who performed the operation, look for a BIND op with the same connection number happening before the search -> line 5, look for its result (same conn, same op)-> line 6 and find the DN: *uid=admin,cn=users,cn=accounts,dc=ipa,dc=test*. HTH, flo > > Cheers, > Ronald > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
