Here is the log files. I just want to inform you that I have that problem now also on Ubuntu 14.40 and Debian 8. On Ubuntu ipa client version is 3.3, maybe problem is there.
In mean time I enrolled several more Ubuntu 18.04 instances without problem. On this Debian 8 and Ubuntu 14.40 I just try with options —ca-cert-file which I copied from master but same error. Thank you Petar 2019-05-20T11:13:47Z DEBUG [IPA Discovery] 2019-05-20T11:13:47Z DEBUG Starting IPA discovery with domain=example.com, servers=['myipaserver.example.com'], hostname=myclient.example.net 2019-05-20T11:13:47Z DEBUG Server and domain forced 2019-05-20T11:13:47Z DEBUG [Kerberos realm search] 2019-05-20T11:13:47Z DEBUG Search DNS for TXT record of _ kerberos.example.com 2019-05-20T11:13:47Z DEBUG DNS record not found: NXDOMAIN 2019-05-20T11:13:47Z DEBUG [LDAP server check] 2019-05-20T11:13:47Z DEBUG Verifying that myipaserver.example.com (realm None) is an IPA server 2019-05-20T11:13:47Z DEBUG Init LDAP connection to: myipaserver.example.com 2019-05-20T11:13:48Z DEBUG Search LDAP server for IPA base DN 2019-05-20T11:13:49Z DEBUG Check if naming context 'dc=example,dc=com' is for IPA 2019-05-20T11:13:49Z DEBUG Naming context 'dc=example,dc=com' is a valid IPA context 2019-05-20T11:13:49Z DEBUG Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub) 2019-05-20T11:13:49Z DEBUG Found: cn=example.com ,cn=kerberos,dc=example,dc=com 2019-05-20T11:13:49Z DEBUG Discovery result: Success; server= myipaserver.example.com, domain=example.com, kdc=None, basedn=dc=example,dc=com 2019-05-20T11:13:49Z DEBUG Validated servers: myipaserver.example.com 2019-05-20T11:13:49Z DEBUG will use discovered domain: example.com 2019-05-20T11:13:49Z DEBUG Using servers from command line, disabling DNS discovery 2019-05-20T11:13:49Z DEBUG will use provided server: myipaserver.example.com 2019-05-20T11:13:49Z DEBUG will use discovered realm: example.com 2019-05-20T11:13:49Z DEBUG will use discovered basedn: dc=example,dc=com 2019-05-20T11:13:49Z INFO Hostname: myclient.example.net 2019-05-20T11:13:49Z DEBUG Hostname source: Provided as option 2019-05-20T11:13:49Z INFO Realm: example.com 2019-05-20T11:13:49Z DEBUG Realm source: Discovered from LDAP DNS records in myipaserver.example.com 2019-05-20T11:13:49Z INFO DNS Domain: example.com 2019-05-20T11:13:49Z DEBUG DNS Domain source: Forced 2019-05-20T11:13:49Z INFO IPA Server: myipaserver.example.com 2019-05-20T11:13:49Z DEBUG IPA Server source: Provided as option 2019-05-20T11:13:49Z INFO BaseDN: dc=example,dc=com 2019-05-20T11:13:49Z DEBUG BaseDN source: From IPA server ldap:// myipaserver.example.com:389 2019-05-20T11:13:49Z DEBUG Starting external process 2019-05-20T11:13:49Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r example.com 2019-05-20T11:13:49Z DEBUG Process finished, return code=5 2019-05-20T11:13:49Z DEBUG stdout= 2019-05-20T11:13:49Z DEBUG stderr=realm not found 2019-05-20T11:13:49Z DEBUG Starting external process 2019-05-20T11:13:49Z DEBUG args=/bin/hostname myclient.example.net 2019-05-20T11:13:49Z DEBUG Process finished, return code=0 2019-05-20T11:13:49Z DEBUG stdout= 2019-05-20T11:13:49Z DEBUG stderr= 2019-05-20T11:13:49Z DEBUG Backing up system configuration file '/etc/hostname' 2019-05-20T11:13:49Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2019-05-20T11:13:49Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2019-05-20T11:13:49Z INFO Synchronizing time with KDC... 2019-05-20T11:13:49Z DEBUG Search DNS for SRV record of _ntp._ udp.example.com 2019-05-20T11:13:50Z DEBUG DNS record not found: NXDOMAIN 2019-05-20T11:13:50Z DEBUG Starting external process 2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v myipaserver.example.com 2019-05-20T11:13:50Z DEBUG Process finished, return code=1 2019-05-20T11:13:50Z DEBUG stdout= 2019-05-20T11:13:50Z DEBUG stderr= 2019-05-20T11:13:50Z DEBUG Starting external process 2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v myipaserver.example.com 2019-05-20T11:13:50Z DEBUG Process finished, return code=1 2019-05-20T11:13:50Z DEBUG stdout= 2019-05-20T11:13:50Z DEBUG stderr= 2019-05-20T11:13:50Z DEBUG Starting external process 2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ntpdate -s -b -v myipaserver.example.com 2019-05-20T11:13:50Z DEBUG Process finished, return code=1 2019-05-20T11:13:50Z DEBUG stdout= 2019-05-20T11:13:50Z DEBUG stderr= 2019-05-20T11:13:50Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. 2019-05-20T11:13:50Z DEBUG Starting external process 2019-05-20T11:13:50Z DEBUG args=keyctl get_persistent @s 0 2019-05-20T11:13:50Z DEBUG Process finished, return code=2 2019-05-20T11:13:50Z DEBUG stdout= 2019-05-20T11:13:50Z DEBUG stderr=Unknown command 2019-05-20T11:13:50Z DEBUG Writing Kerberos configuration to /tmp/tmpJH6hjP: 2019-05-20T11:13:50Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = example.com dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] example.com = { kdc = myipaserver.example.com:88 master_kdc = myipaserver.example.com:88 admin_server = myipaserver.example.com:749 default_domain = example.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .example.com = example.com example.com = example.com .clientexample.com = example.com clientexample.com = example.com 2019-05-20T11:13:50Z DEBUG Starting external process 2019-05-20T11:13:50Z DEBUG args=kinit ad...@example.com 2019-05-20T11:13:50Z DEBUG Process finished, return code=0 2019-05-20T11:13:50Z DEBUG stdout=Password for ad...@example.com: 2019-05-20T11:13:50Z DEBUG stderr= 2019-05-20T11:13:50Z DEBUG trying to retrieve CA cert from file /tmp/ca.crt 2019-05-20T11:13:50Z DEBUG CA cert provided by user, use it! 2019-05-20T11:13:50Z DEBUG Starting external process 2019-05-20T11:13:50Z DEBUG args=/usr/sbin/ipa-join -s myipaserver.example.com -b dc=example,dc=com -h myclient.example.net -f 2019-05-20T11:13:54Z DEBUG Process finished, return code=0 2019-05-20T11:13:54Z DEBUG stdout= 2019-05-20T11:13:54Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=example.com 2019-05-20T11:13:54Z INFO Enrolled in IPA realm example.com 2019-05-20T11:13:54Z DEBUG Starting external process 2019-05-20T11:13:54Z DEBUG args=kdestroy 2019-05-20T11:13:54Z DEBUG Process finished, return code=0 2019-05-20T11:13:54Z DEBUG stdout= 2019-05-20T11:13:54Z DEBUG stderr= 2019-05-20T11:13:54Z DEBUG Starting external process 2019-05-20T11:13:54Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/ myclient.example....@example.com 2019-05-20T11:13:54Z DEBUG Process finished, return code=0 2019-05-20T11:13:54Z DEBUG stdout= 2019-05-20T11:13:54Z DEBUG stderr= 2019-05-20T11:13:54Z DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2019-05-20T11:13:54Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist 2019-05-20T11:13:54Z INFO Created /etc/ipa/default.conf 2019-05-20T11:13:54Z DEBUG importing all plugin modules in '/usr/lib/python2.7/dist-packages/ipalib/plugins'... 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/aci.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/automember.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/automount.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/baseldap.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/batch.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/config.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/delegation.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/dns.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/group.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacrule.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvc.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbacsvcgroup.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hbactest.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/host.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/hostgroup.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/idrange.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/internal.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/kerberos.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/krbtpolicy.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/migration.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/misc.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/netgroup.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/passwd.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/permission.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/ping.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/pkinit.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/privilege.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/pwpolicy.py' 2019-05-20T11:13:54Z DEBUG Starting external process 2019-05-20T11:13:54Z DEBUG args=klist -V 2019-05-20T11:13:54Z DEBUG Process finished, return code=0 2019-05-20T11:13:54Z DEBUG stdout=Kerberos 5 version 1.12 2019-05-20T11:13:54Z DEBUG stderr= 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/realmdomains.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/role.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/selfservice.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/selinuxusermap.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/service.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmd.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudocmdgroup.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/sudorule.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/trust.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/user.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/virtual.py' 2019-05-20T11:13:54Z DEBUG importing plugin module '/usr/lib/python2.7/dist-packages/ipalib/plugins/xmlclient.py' 2019-05-20T11:13:55Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2019-05-20T11:13:55Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist 2019-05-20T11:13:55Z INFO New SSSD config will be created 2019-05-20T11:13:55Z INFO Configured /etc/sssd/sssd.conf 2019-05-20T11:13:55Z DEBUG Starting external process 2019-05-20T11:13:55Z DEBUG args=/usr/bin/certutil -A -d sql:/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt 2019-05-20T11:13:55Z DEBUG Process finished, return code=0 2019-05-20T11:13:55Z DEBUG stdout= 2019-05-20T11:13:55Z DEBUG stderr= 2019-05-20T11:13:55Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2019-05-20T11:13:55Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2019-05-20T11:13:55Z DEBUG Starting external process 2019-05-20T11:13:55Z DEBUG args=keyctl get_persistent @s 0 2019-05-20T11:13:55Z DEBUG Process finished, return code=2 2019-05-20T11:13:55Z DEBUG stdout= 2019-05-20T11:13:55Z DEBUG stderr=Unknown command 2019-05-20T11:13:55Z DEBUG Writing Kerberos configuration to /etc/krb5.conf: 2019-05-20T11:13:55Z DEBUG #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = example.com dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] example.com = { kdc = myipaserver.example.com:88 master_kdc = myipaserver.example.com:88 admin_server = myipaserver.example.com:749 default_domain = example.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .example.com = example.com example.com = example.com .clientexample.com = example.com clientexample.com = example.com 2019-05-20T11:13:55Z INFO Configured /etc/krb5.conf for IPA realm example.com 2019-05-20T11:13:55Z DEBUG Starting external process 2019-05-20T11:13:55Z DEBUG args=keyctl search @s user ipa_session_cookie:host/myclient.example....@example.com 2019-05-20T11:13:55Z DEBUG Process finished, return code=1 2019-05-20T11:13:55Z DEBUG stdout= 2019-05-20T11:13:55Z DEBUG stderr=keyctl_search: Required key not available 2019-05-20T11:13:55Z DEBUG Starting external process 2019-05-20T11:13:55Z DEBUG args=keyctl search @s user ipa_session_cookie:host/myclient.example....@example.com 2019-05-20T11:13:55Z DEBUG Process finished, return code=1 2019-05-20T11:13:55Z DEBUG stdout= 2019-05-20T11:13:55Z DEBUG stderr=keyctl_search: Required key not available 2019-05-20T11:13:55Z DEBUG failed to find session_cookie in persistent storage for principal 'host/myclient.example....@example.com' 2019-05-20T11:13:56Z DEBUG trying https://myipaserver.example.com/ipa/xml 2019-05-20T11:13:56Z DEBUG Created connection context.xmlclient 2019-05-20T11:13:56Z DEBUG Try RPC connection 2019-05-20T11:13:56Z DEBUG Forwarding 'ping' to server ' https://myipaserver.example.com/ipa/xml' 2019-05-20T11:13:56Z DEBUG NSSConnection init myipaserver.example.com 2019-05-20T11:13:56Z DEBUG Connecting: 94.130.154.230:0 2019-05-20T11:13:56Z DEBUG auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 337206521890680437858189420391339302183775 (0x3def5fdcb91c7146fc7d3cb8c096bd5e35f) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US Validity: Not Before: Fri Apr 05 07:19:18 2019 UTC Not After : Thu Jul 04 07:19:18 2019 UTC Subject: CN=myipaserver.example.com Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: b4:68:c6:c8:b4:4f:df:50:5a:f0:00:4b:ea:09:9d:77: 1c:20:20:b6:ce:d7:64:24:c8:ec:65:ad:69:de:a1:ea: b4:a1:d6:4e:46:88:d5:e5:ea:e6:9c:70:d8:8a:00:7e: cd:c0:0f:2e:e7:e5:1f:3e:72:00:81:ab:b8:58:90:89: f6:81:ee:6a:87:f4:85:34:32:46:5f:0e:45:5c:05:69 Exponent: 65537 (0x10001) Signed Extensions: (9) Name: Certificate Key Usage Critical: True Usages: Digital Signature Key Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: Certificate Basic Constraints Critical: True Is CA: False Path Length: 0 Name: Certificate Subject Key ID Critical: False Data: cb:c7:a1:bc:07:0a:ba:f9:d6:55:85:ea:e4:13:3a:e6: 6d:1c:64:93 Name: Certificate Authority Key Identifier Critical: False Key ID: a8:4a:6a:63:04:7d:dd:ba:e6:d1:39:b7:a6:45:65:ef: f3:a8:ec:a1 Serial Number: None General Names: [0 total] Name: Authority Information Access Critical: False Name: Certificate Subject Alt Name Critical: False Names: myipaserver.example.com Name: Certificate Policies Critical: False Name: OID.1.3.6.1.4.1.11129.2.4.2 Critical: False Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 1b:9b:b3:c8:cb:c6:2b:1c:e9:f5:4b:6b:f2:2f:81:56: 55:00:33:bc:02:ba:e9:c4:58:76:b5:1b:05:ed:bc:d7: 94:4d:45:42:78:82:b1:77:5c:d6:c5:a3:92:e1:b6:5a: d7:b1:b0:25:6b:c9:5c:bb:37:a8:f5:56:c4:1e:b2:cb: a7:18:78:fc:a4:5c:a1:38:c0:39:bc:3c:7b:22:34:30: 32:02:07:12:15:16:38:c6:8d:c2:4c:e0:7d:b8:66:74: 84:44:23:eb:3f:8d:11:5e:92:77:cc:e0:ee:c4:59:12 Fingerprint (MD5): a4:df:06:9a:a3:e1:61:93:40:cc:8e:ea:6d:2 Fingerprint (SHA1): 23:88:55:80:b7:6f:0f:d0:86:c0:4f:c3:c8:92:67:c3: 2019-05-20T11:13:56Z ERROR cert validation failed for "CN= myipaserver.example.com" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) 2019-05-20T11:13:56Z ERROR Cannot connect to the server due to generic error: cannot connect to 'https://myipaserver.example.com/ipa/xml': [Errno -8179] (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. 2019-05-20T11:13:56Z ERROR Installation failed. Rolling back changes. 2019-05-20T11:13:56Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2019-05-20T11:13:56Z DEBUG Starting external process 2019-05-20T11:13:56Z DEBUG args=ipa-client-automount --uninstall --debug 2019-05-20T11:13:58Z DEBUG Process finished, return code=0 2019-05-20T11:13:58Z DEBUG stdout=Restoring configuration On May 17, 2019 at 4:40:47 PM, Rob Crittenden (rcrit...@redhat.com) wrote: Petar Kozić via FreeIPA-users wrote: > >> Petar Kozić via FreeIPA-users wrote: >> > Hi folks, >> > one question. >> > These days I join my machine into IPA. Almost all machine have Ubuntu >> > 18.04. I jointed about 10 machine in last two days. Today I tried to >> > join Debian 8 jessie but I have problem. >> > >> > All machine I join with same command: >> > >> > ipa-client-install -U —domain=example.com <http://example.com> < http://example.com> >> > —hostname=clientexample.com <http://clientexample.com> < http://clientexample.com> >> > —server=ipa.example.com <http://ipa.example.com> < http://ipa.example.com> >> —realm=EXAMPLE.com >> > —password=XXXxxxXXX --principal=admin —mkhomedir >> > >> > On Debian machine I got this error in process of join: >> > >> > Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json' >> > cert validation failed for “CN=ipa.example.com <http://ipa.example.com> <http://ipa.example.com>" >> > ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) >> > Cannot connect to the server due to generic error: cannot connect to >> > 'https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's >> > Certificate issuer is not recognized. >> > Installation failed. Rolling back changes. >> > >> > Some help? >> >> We need more information on your CA chain configuration and what >> version's of IPA you're using. >> >> For example, is your CA a typical IPA self-signed CA or did you sign it >> with another CA? >> >> rob > > > Ipa version: > > FreeIPA 4.7 > > CA isn’t self-signed. I generate Let’s encrypt SSL and make chain CA > which is imported in IPA. > > On all Ubuntu 18.04 works perfect but this Debian 8 jessie don’t support > native from repo freeipa-client and maybe that is also problem. I found > some repo for freeipa client > > deb http://apt.numeezy.fr jessie main > > deb-src http://apt.numeezy.fr jessie main > > and I installed from there. Assuming it picks the latest it means you have 4.6.4. You might try installing the Let's Encrypt root CA's onto your client prior to running ipa-client-install. Otherwise I think we'd need to see /var/log/ipaclient-install.log to see the CA chain being retrieved. Sounds like it is incomplete but unclear why. rob
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org