new ipaclient fails to join

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA

GNU General Public License v3.0

491 stars 231 forks source link

new ipaclient fails to join #91

Closed RobVerduijn closed 5 years ago

RobVerduijn commented 5 years ago

Hello,

Doing a fresh install on a centos7 ipaclient. (as in new kickstart install) The configuration of the client fails on the task: ipaclient : Install - Join IPA with the error : FAILED! => {"changed": false, "msg": "Cannot obtain CA certificate\nHTTP certificate download requires --force"}

This is a new client I checked that

there was no previous host with that name in ipa domain
dns A & PTR records have been created in the ipa domain for the client
chronyd is configured, running and in sync
client can resolv ipa server names
ipa servers can be pinged from client
freeipa version 4.6.4
ansible version 2.8.1

the following vars where set: ipaclient_mkhomedir: false ipaclient_use_otp: false ipaadmin_principal: '{{ ipa_admin }}' ipaadmin_password: '{{ ipa_admin_password }}' ipassd_enable_dns_updates: true ipaclient_no_ntp: true

Cheers Rob

t-woerner commented 5 years ago

Do you have more error messages in the log file? Do you get the same error using the command line installer?

RobVerduijn commented 5 years ago

hello, The client joins when I do a manual configuration. ipa-client-install --enable-dns-updates

I'm rerunning the installation to collect the logs, I'll post it when it's done Rob

RobVerduijn commented 5 years ago

Output from -vvv

The full traceback is: WARNING: The below traceback may not be related to the actual failure. File "/tmp/ansible_ipaclient_join_payload_N2y5q5/main.py", line 270, in main get_ca_certs(fstore, options, servers[0], basedn, realm) File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 1820, in get_ca_certs message=u"HTTP "

fatal: [katello]: FAILED! => { "changed": false, "invocation": { "module_args": { "admin_keytab": null, "basedn": "dc=example,dc=com", "ca_cert_file": null, "debug": null, "domain": "freeipa01", "force_join": false, "hostname": "ipaclient.example.com", "kdc": "freeipa01, freeipa02", "keytab": null, "kinit_attempts": 5, "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "principal": "rob", "realm": "EXAMPLE.COM", "servers": [ "freeipa01", "freeipa02" ] } }, "msg": "Cannot obtain CA certificate\nHTTP certificate download requires --force"

RobVerduijn commented 5 years ago

Hello, It seems to work again with the latest git version.

Cheers Rob