search

yabhinav / ansible-role-ipaclient

Installs Free IPA Client and Registers to IPA server
2 stars 2 forks source link

Peer certificate cannot be authenticated with known CA certificates #1

Open yabhinav opened 7 years ago

yabhinav commented 7 years ago

Joining to DEMO1.FREEIPA.ORG provided by Redhat fails with CentOS6 image even when ca-certificates and PyOpenSSL packages are installed and updated.

Here is the error when joining the domain

(ansible_latest)[root@testlab /]# ipa-client-install -U --force-join --realm DEMO1.FREEIPA.ORG --domain demo1.freeipa.org --principal admin@DEMO1.FREEIPA.ORG --password Secret123 --hostname=testlab.example.com --mkhomedir  --no-ntp
Discovery was successful!
Hostname: testlab.example.com
Realm: DEMO1.FREEIPA.ORG
DNS Domain: demo1.freeipa.org
IPA Server: ipa.demo1.freeipa.org
BaseDN: dc=demo1,dc=freeipa,dc=org

Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
    Issuer:      CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
    Valid From:  Wed Jun 04 10:34:05 2014 UTC
    Valid Until: Sun Jun 04 10:34:05 2034 UTC

Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates

Installation failed. Rolling back changes.
IPA client is not configured on this system.
(ansible_latest)[root@testlab /]#

Here is the complete log for ipa-client configuration

 cat /var/log/ipaclient-install.log 
2017-03-05T17:03:13Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'demo1.freeipa.org', 'force': False, 'realm_name': 'DEMO1.FREEIPA.ORG', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': False, 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': 'admin@DEMO1.FREEIPA.ORG', 'hostname': 'testlab.example.com', 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'ca_cert_file': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False}
2017-03-05T17:03:13Z DEBUG missing options might be asked for interactively later
2017-03-05T17:03:13Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-03-05T17:03:13Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-03-05T17:03:13Z DEBUG [IPA Discovery]
2017-03-05T17:03:13Z DEBUG Starting IPA discovery with domain=demo1.freeipa.org, servers=None, hostname=testlab.example.com
2017-03-05T17:03:13Z DEBUG Search for LDAP SRV record in demo1.freeipa.org
2017-03-05T17:03:13Z DEBUG Search DNS for SRV record of _ldap._tcp.demo1.freeipa.org.
2017-03-05T17:03:13Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.demo1.freeipa.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa.demo1.freeipa.org.}
2017-03-05T17:03:13Z DEBUG [Kerberos realm search]
2017-03-05T17:03:13Z DEBUG Kerberos realm forced
2017-03-05T17:03:13Z DEBUG Search DNS for SRV record of _kerberos._udp.demo1.freeipa.org.
2017-03-05T17:03:13Z DEBUG DNS record found: DNSResult::name:_kerberos._udp.demo1.freeipa.org.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa.demo1.freeipa.org.}
2017-03-05T17:03:13Z DEBUG [LDAP server check]
2017-03-05T17:03:13Z DEBUG Verifying that ipa.demo1.freeipa.org (realm DEMO1.FREEIPA.ORG) is an IPA server
2017-03-05T17:03:13Z DEBUG Init LDAP connection with: ldap://ipa.demo1.freeipa.org:389
2017-03-05T17:03:15Z DEBUG Search LDAP server for IPA base DN
2017-03-05T17:03:15Z DEBUG Check if naming context 'dc=demo1,dc=freeipa,dc=org' is for IPA
2017-03-05T17:03:16Z DEBUG Naming context 'dc=demo1,dc=freeipa,dc=org' is a valid IPA context
2017-03-05T17:03:16Z DEBUG Search for (objectClass=krbRealmContainer) in dc=demo1,dc=freeipa,dc=org (sub)
2017-03-05T17:03:16Z DEBUG Found: cn=DEMO1.FREEIPA.ORG,cn=kerberos,dc=demo1,dc=freeipa,dc=org
2017-03-05T17:03:16Z DEBUG Discovery result: Success; server=ipa.demo1.freeipa.org, domain=demo1.freeipa.org, kdc=ipa.demo1.freeipa.org, basedn=dc=demo1,dc=freeipa,dc=org
2017-03-05T17:03:16Z DEBUG Validated servers: ipa.demo1.freeipa.org
2017-03-05T17:03:16Z DEBUG will use discovered domain: demo1.freeipa.org
2017-03-05T17:03:16Z DEBUG Start searching for LDAP SRV record in "demo1.freeipa.org" (Validating DNS Discovery) and its sub-domains
2017-03-05T17:03:16Z DEBUG Search DNS for SRV record of _ldap._tcp.demo1.freeipa.org.
2017-03-05T17:03:16Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.demo1.freeipa.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa.demo1.freeipa.org.}
2017-03-05T17:03:16Z DEBUG DNS validated, enabling discovery
2017-03-05T17:03:16Z DEBUG will use discovered server: ipa.demo1.freeipa.org
2017-03-05T17:03:16Z INFO Discovery was successful!
2017-03-05T17:03:16Z DEBUG will use discovered realm: DEMO1.FREEIPA.ORG
2017-03-05T17:03:16Z DEBUG will use discovered basedn: dc=demo1,dc=freeipa,dc=org
2017-03-05T17:03:16Z INFO Hostname: testlab.example.com
2017-03-05T17:03:16Z DEBUG Hostname source: Provided as option
2017-03-05T17:03:16Z INFO Realm: DEMO1.FREEIPA.ORG
2017-03-05T17:03:16Z DEBUG Realm source: Discovered from LDAP DNS records in ipa.demo1.freeipa.org
2017-03-05T17:03:16Z INFO DNS Domain: demo1.freeipa.org
2017-03-05T17:03:16Z DEBUG DNS Domain source: Discovered LDAP SRV records from demo1.freeipa.org
2017-03-05T17:03:16Z INFO IPA Server: ipa.demo1.freeipa.org
2017-03-05T17:03:16Z DEBUG IPA Server source: Discovered from LDAP DNS records in ipa.demo1.freeipa.org
2017-03-05T17:03:16Z INFO BaseDN: dc=demo1,dc=freeipa,dc=org
2017-03-05T17:03:16Z DEBUG BaseDN source: From IPA server ldap://ipa.demo1.freeipa.org:389
2017-03-05T17:03:16Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DEMO1.FREEIPA.ORG
2017-03-05T17:03:16Z DEBUG stdout=
2017-03-05T17:03:16Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

2017-03-05T17:03:16Z INFO Synchronizing time with KDC...
2017-03-05T17:03:16Z DEBUG Search DNS for SRV record of _ntp._udp.demo1.freeipa.org.
2017-03-05T17:03:16Z DEBUG DNS record found: DNSResult::name:_ntp._udp.demo1.freeipa.org.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:ipa.demo1.freeipa.org.}
2017-03-05T17:03:16Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:03:16Z DEBUG stdout=
2017-03-05T17:03:16Z DEBUG stderr=
2017-03-05T17:03:17Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:03:17Z DEBUG stdout=
2017-03-05T17:03:17Z DEBUG stderr=
2017-03-05T17:03:17Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:03:17Z DEBUG stdout=
2017-03-05T17:03:17Z DEBUG stderr=
2017-03-05T17:03:17Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:03:17Z DEBUG stdout=
2017-03-05T17:03:17Z DEBUG stderr=
2017-03-05T17:03:18Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:03:18Z DEBUG stdout=
2017-03-05T17:03:18Z DEBUG stderr=
2017-03-05T17:03:18Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:03:18Z DEBUG stdout=
2017-03-05T17:03:18Z DEBUG stderr=
2017-03-05T17:03:18Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
2017-03-05T17:03:18Z DEBUG Writing Kerberos configuration to /tmp/tmpSsDYF0:
2017-03-05T17:03:18Z DEBUG #File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = DEMO1.FREEIPA.ORG
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0

[realms]
  DEMO1.FREEIPA.ORG = {
    kdc = ipa.demo1.freeipa.org:88
    master_kdc = ipa.demo1.freeipa.org:88
    admin_server = ipa.demo1.freeipa.org:749
    default_domain = demo1.freeipa.org
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }

[domain_realm]
  .demo1.freeipa.org = DEMO1.FREEIPA.ORG
  demo1.freeipa.org = DEMO1.FREEIPA.ORG
  .example.com = DEMO1.FREEIPA.ORG
  example.com = DEMO1.FREEIPA.ORG

2017-03-05T17:03:20Z DEBUG args=kinit admin@DEMO1.FREEIPA.ORG
2017-03-05T17:03:20Z DEBUG stdout=Password for admin@DEMO1.FREEIPA.ORG: 

2017-03-05T17:03:20Z DEBUG stderr=
2017-03-05T17:03:20Z DEBUG trying to retrieve CA cert via LDAP from ldap://ipa.demo1.freeipa.org
2017-03-05T17:03:23Z INFO Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
    Issuer:      CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
    Valid From:  Wed Jun 04 10:34:05 2014 UTC
    Valid Until: Sun Jun 04 10:34:05 2034 UTC

2017-03-05T17:03:24Z DEBUG args=/usr/sbin/ipa-join -s ipa.demo1.freeipa.org -b dc=demo1,dc=freeipa,dc=org -h testlab.example.com -f
2017-03-05T17:03:24Z DEBUG stdout=
2017-03-05T17:03:24Z DEBUG stderr=libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates

2017-03-05T17:03:24Z ERROR Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates

2017-03-05T17:03:24Z ERROR Installation failed. Rolling back changes.
2017-03-05T17:03:24Z ERROR IPA client is not configured on this system.
(ansible_latest)[root@testlab /]#
yabhinav commented 7 years ago

Debugging

Following this ticket https://access.redhat.com/solutions/523823

[root@testlab /]# curl -v https://ipa.demo1.freeipa.org
* About to connect() to ipa.demo1.freeipa.org port 443 (#0)
*   Trying 209.132.178.99... connected
* Connected to ipa.demo1.freeipa.org (209.132.178.99) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=ipa.demo1.freeipa.org
*   start date: Dec 29 15:58:00 2016 GMT
*   expire date: Mar 29 15:58:00 2017 GMT
*   common name: ipa.demo1.freeipa.org
*   issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: ipa.demo1.freeipa.org
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 05 Mar 2017 17:34:03 GMT
< Server: Apache/2.4.23 (Fedora) mod_auth_gssapi/1.4.1 mod_auth_kerb/5.4 mod_nss/1.0.12 NSS/3.23 Basic ECC mod_wsgi/4.4.8 Python/2.7.12
< Location: https://ipa.demo1.freeipa.org/ipa/ui
< Content-Length: 244
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://ipa.demo1.freeipa.org/ipa/ui">here</a>.</p>
</body></html>
* Connection #0 to host ipa.demo1.freeipa.org left intact
* Closing connection #0

Although a version higher than ca-certificates-2013.1.94-65.0.el6 has been installed.

[root@testlab /]# yum info ca-certificates
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: centos.excellmedia.net
 * epel: mirror01.idc.hinet.net
 * extras: centos.excellmedia.net
 * updates: centos.excellmedia.net
Installed Packages
Name        : ca-certificates
Arch        : noarch
Version     : 2015.2.6
Release     : 65.0.1.el6_7
Size        : 3.1 M
Repo        : installed
From repo   : CentOS
Summary     : The Mozilla CA root certificate bundle
URL         : http://www.mozilla.org/
License     : Public Domain
Description : This package contains the set of CA certificates chosen by the
            : Mozilla Foundation for use with the Internet PKI.
yabhinav commented 7 years ago

Mored detailed ipa-client install log.

Where we can that issue might be due to testlab.example.com not having proper certificate

[root@testlab /]# cat /var/log/ipaclient-install.log
2017-03-05T17:52:59Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'demo1.freeipa.org', 'force': False, 'realm_name': 'DEMO1.FREEIPA.ORG', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': 'admin@DEMO1.FREEIPA.ORG', 'hostname': 'testlab.example.com', 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'ca_cert_file': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False}
2017-03-05T17:52:59Z DEBUG missing options might be asked for interactively later
2017-03-05T17:52:59Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-03-05T17:52:59Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-03-05T17:52:59Z DEBUG [IPA Discovery]
2017-03-05T17:52:59Z DEBUG Starting IPA discovery with domain=demo1.freeipa.org, servers=None, hostname=testlab.example.com
2017-03-05T17:52:59Z DEBUG Search for LDAP SRV record in demo1.freeipa.org
2017-03-05T17:52:59Z DEBUG Search DNS for SRV record of _ldap._tcp.demo1.freeipa.org.
2017-03-05T17:52:59Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.demo1.freeipa.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa.demo1.freeipa.org.}
2017-03-05T17:52:59Z DEBUG [Kerberos realm search]
2017-03-05T17:52:59Z DEBUG Kerberos realm forced
2017-03-05T17:52:59Z DEBUG Search DNS for SRV record of _kerberos._udp.demo1.freeipa.org.
2017-03-05T17:52:59Z DEBUG DNS record found: DNSResult::name:_kerberos._udp.demo1.freeipa.org.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa.demo1.freeipa.org.}
2017-03-05T17:52:59Z DEBUG [LDAP server check]
2017-03-05T17:52:59Z DEBUG Verifying that ipa.demo1.freeipa.org (realm DEMO1.FREEIPA.ORG) is an IPA server
2017-03-05T17:52:59Z DEBUG Init LDAP connection with: ldap://ipa.demo1.freeipa.org:389
2017-03-05T17:53:01Z DEBUG Search LDAP server for IPA base DN
2017-03-05T17:53:01Z DEBUG Check if naming context 'dc=demo1,dc=freeipa,dc=org' is for IPA
2017-03-05T17:53:02Z DEBUG Naming context 'dc=demo1,dc=freeipa,dc=org' is a valid IPA context
2017-03-05T17:53:02Z DEBUG Search for (objectClass=krbRealmContainer) in dc=demo1,dc=freeipa,dc=org (sub)
2017-03-05T17:53:02Z DEBUG Found: cn=DEMO1.FREEIPA.ORG,cn=kerberos,dc=demo1,dc=freeipa,dc=org
2017-03-05T17:53:02Z DEBUG Discovery result: Success; server=ipa.demo1.freeipa.org, domain=demo1.freeipa.org, kdc=ipa.demo1.freeipa.org, basedn=dc=demo1,dc=freeipa,dc=org
2017-03-05T17:53:02Z DEBUG Validated servers: ipa.demo1.freeipa.org
2017-03-05T17:53:02Z DEBUG will use discovered domain: demo1.freeipa.org
2017-03-05T17:53:02Z DEBUG Start searching for LDAP SRV record in "demo1.freeipa.org" (Validating DNS Discovery) and its sub-domains
2017-03-05T17:53:02Z DEBUG Search DNS for SRV record of _ldap._tcp.demo1.freeipa.org.
2017-03-05T17:53:02Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.demo1.freeipa.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa.demo1.freeipa.org.}
2017-03-05T17:53:02Z DEBUG DNS validated, enabling discovery
2017-03-05T17:53:02Z DEBUG will use discovered server: ipa.demo1.freeipa.org
2017-03-05T17:53:02Z INFO Discovery was successful!
2017-03-05T17:53:02Z DEBUG will use discovered realm: DEMO1.FREEIPA.ORG
2017-03-05T17:53:02Z DEBUG will use discovered basedn: dc=demo1,dc=freeipa,dc=org
2017-03-05T17:53:02Z INFO Hostname: testlab.example.com
2017-03-05T17:53:02Z DEBUG Hostname source: Provided as option
2017-03-05T17:53:02Z INFO Realm: DEMO1.FREEIPA.ORG
2017-03-05T17:53:02Z DEBUG Realm source: Discovered from LDAP DNS records in ipa.demo1.freeipa.org
2017-03-05T17:53:02Z INFO DNS Domain: demo1.freeipa.org
2017-03-05T17:53:02Z DEBUG DNS Domain source: Discovered LDAP SRV records from demo1.freeipa.org
2017-03-05T17:53:02Z INFO IPA Server: ipa.demo1.freeipa.org
2017-03-05T17:53:02Z DEBUG IPA Server source: Discovered from LDAP DNS records in ipa.demo1.freeipa.org
2017-03-05T17:53:02Z INFO BaseDN: dc=demo1,dc=freeipa,dc=org
2017-03-05T17:53:02Z DEBUG BaseDN source: From IPA server ldap://ipa.demo1.freeipa.org:389
2017-03-05T17:53:02Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DEMO1.FREEIPA.ORG
2017-03-05T17:53:02Z DEBUG stdout=
2017-03-05T17:53:02Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

2017-03-05T17:53:02Z DEBUG args=/bin/hostname testlab.example.com
2017-03-05T17:53:02Z DEBUG stdout=
2017-03-05T17:53:02Z DEBUG stderr=hostname: you must be root to change the host name

2017-03-05T17:53:02Z DEBUG Backing up system configuration file '/etc/sysconfig/network'
2017-03-05T17:53:02Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-03-05T17:53:03Z DEBUG args=/usr/sbin/selinuxenabled
2017-03-05T17:53:03Z DEBUG stdout=
2017-03-05T17:53:03Z DEBUG stderr=
2017-03-05T17:53:03Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-03-05T17:53:03Z INFO Synchronizing time with KDC...
2017-03-05T17:53:03Z DEBUG Search DNS for SRV record of _ntp._udp.demo1.freeipa.org.
2017-03-05T17:53:03Z DEBUG DNS record found: DNSResult::name:_ntp._udp.demo1.freeipa.org.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:ipa.demo1.freeipa.org.}
2017-03-05T17:53:03Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:53:03Z DEBUG stdout=
2017-03-05T17:53:03Z DEBUG stderr=
2017-03-05T17:53:03Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:53:03Z DEBUG stdout=
2017-03-05T17:53:03Z DEBUG stderr=
2017-03-05T17:53:03Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:53:03Z DEBUG stdout=
2017-03-05T17:53:03Z DEBUG stderr=
2017-03-05T17:53:04Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:53:04Z DEBUG stdout=
2017-03-05T17:53:04Z DEBUG stderr=
2017-03-05T17:53:04Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:53:04Z DEBUG stdout=
2017-03-05T17:53:04Z DEBUG stderr=
2017-03-05T17:53:04Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.demo1.freeipa.org
2017-03-05T17:53:04Z DEBUG stdout=
2017-03-05T17:53:04Z DEBUG stderr=
2017-03-05T17:53:04Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
2017-03-05T17:53:04Z DEBUG Writing Kerberos configuration to /tmp/tmpjilcGO:
2017-03-05T17:53:04Z DEBUG #File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = DEMO1.FREEIPA.ORG
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0

[realms]
  DEMO1.FREEIPA.ORG = {
    kdc = ipa.demo1.freeipa.org:88
    master_kdc = ipa.demo1.freeipa.org:88
    admin_server = ipa.demo1.freeipa.org:749
    default_domain = demo1.freeipa.org
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }

[domain_realm]
  .demo1.freeipa.org = DEMO1.FREEIPA.ORG
  demo1.freeipa.org = DEMO1.FREEIPA.ORG
  .example.com = DEMO1.FREEIPA.ORG
  example.com = DEMO1.FREEIPA.ORG

2017-03-05T17:53:06Z DEBUG args=kinit admin@DEMO1.FREEIPA.ORG
2017-03-05T17:53:06Z DEBUG stdout=Password for admin@DEMO1.FREEIPA.ORG: 

2017-03-05T17:53:06Z DEBUG stderr=
2017-03-05T17:53:06Z DEBUG trying to retrieve CA cert via LDAP from ldap://ipa.demo1.freeipa.org
2017-03-05T17:53:09Z DEBUG Existing CA cert and Retrieved CA cert are identical
2017-03-05T17:53:10Z DEBUG args=/usr/sbin/ipa-join -s ipa.demo1.freeipa.org -b dc=demo1,dc=freeipa,dc=org -h testlab.example.com -f
2017-03-05T17:53:10Z DEBUG stdout=
2017-03-05T17:53:10Z DEBUG stderr=libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates

2017-03-05T17:53:10Z ERROR Joining realm failed: libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates

2017-03-05T17:53:10Z ERROR Installation failed. Rolling back changes.
2017-03-05T17:53:10Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2017-03-05T17:53:12Z DEBUG args=ipa-client-automount --uninstall --debug
2017-03-05T17:53:12Z DEBUG stdout=Restoring configuration

2017-03-05T17:53:12Z DEBUG stderr=importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
skipping plugin module ipalib.plugins.cert: env.enable_ra is not True
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
args=klist -V
stdout=Kerberos 5 version 1.10.3

stderr=
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'

2017-03-05T17:53:12Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-03-05T17:53:12Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-03-05T17:53:12Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/nssdb -n IPA CA
2017-03-05T17:53:12Z DEBUG stdout=
2017-03-05T17:53:12Z DEBUG stderr=certutil: Could not find cert: IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found

2017-03-05T17:53:12Z DEBUG args=/sbin/service messagebus start 
2017-03-05T17:53:12Z DEBUG stdout=Starting system message bus: 

2017-03-05T17:53:12Z DEBUG stderr=
2017-03-05T17:53:12Z DEBUG args=/sbin/service messagebus status 
2017-03-05T17:53:12Z DEBUG stdout=messagebus (pid  8860) is running...

2017-03-05T17:53:12Z DEBUG stderr=
2017-03-05T17:53:12Z DEBUG args=/sbin/service certmonger start 
2017-03-05T17:53:12Z DEBUG stdout=Starting certmonger:     [  OK  ]

2017-03-05T17:53:12Z DEBUG stderr=
2017-03-05T17:53:12Z DEBUG args=/sbin/service certmonger status 
2017-03-05T17:53:12Z DEBUG stdout=certmonger (pid  9269) is running...

2017-03-05T17:53:12Z DEBUG stderr=
2017-03-05T17:53:12Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/nssdb -n IPA Machine Certificate - testlab.example.com
2017-03-05T17:53:12Z DEBUG stdout=
2017-03-05T17:53:12Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - testlab.example.com
: PR_FILE_NOT_FOUND_ERROR: File not found

2017-03-05T17:53:16Z DEBUG args=/sbin/service certmonger stop 
2017-03-05T17:53:16Z DEBUG stdout=Stopping certmonger:     [  OK  ]

2017-03-05T17:53:16Z DEBUG stderr=
2017-03-05T17:53:17Z DEBUG args=/sbin/chkconfig certmonger off
2017-03-05T17:53:17Z DEBUG stdout=
2017-03-05T17:53:17Z DEBUG stderr=
2017-03-05T17:53:17Z INFO Disabling client Kerberos and LDAP configurations
2017-03-05T17:53:17Z DEBUG args=/usr/sbin/authconfig --disablekrb5 --disablesssd --update --disablemkhomedir --disableldap --disablesssdauth
2017-03-05T17:53:17Z DEBUG stdout=
2017-03-05T17:53:17Z DEBUG stderr=
2017-03-05T17:53:17Z INFO Unconfiguring the NIS domain.
2017-03-05T17:53:17Z DEBUG args=/usr/sbin/authconfig --update --nisdomain 
2017-03-05T17:53:17Z DEBUG stdout=
2017-03-05T17:53:17Z DEBUG stderr=
2017-03-05T17:53:18Z DEBUG args=/bin/nisdomainname 
2017-03-05T17:53:18Z DEBUG stdout=
2017-03-05T17:53:18Z DEBUG stderr=nisdomainname: you must be root to change the domain name

2017-03-05T17:53:18Z WARNING Failed to set NIS domain.
2017-03-05T17:53:18Z DEBUG Error while moving /etc/sssd/sssd.conf to /etc/sssd/sssd.conf.deleted
2017-03-05T17:53:18Z INFO Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
2017-03-05T17:53:18Z DEBUG args=/sbin/service sssd stop 
2017-03-05T17:53:18Z DEBUG stdout=
2017-03-05T17:53:18Z DEBUG stderr=
2017-03-05T17:53:18Z DEBUG args=/sbin/chkconfig sssd off
2017-03-05T17:53:18Z DEBUG stdout=
2017-03-05T17:53:18Z DEBUG stderr=
2017-03-05T17:53:18Z INFO Restoring client configuration files
2017-03-05T17:53:18Z DEBUG args=/usr/sbin/selinuxenabled
2017-03-05T17:53:18Z DEBUG stdout=
2017-03-05T17:53:18Z DEBUG stderr=
2017-03-05T17:53:18Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-03-05T17:53:18Z DEBUG   -> no files, removing file
2017-03-05T17:53:18Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2017-03-05T17:53:18Z DEBUG   -> no modules, removing file
2017-03-05T17:53:18Z DEBUG args=/sbin/service nscd status
2017-03-05T17:53:18Z DEBUG stdout=
2017-03-05T17:53:18Z DEBUG stderr=nscd: unrecognized service

2017-03-05T17:53:18Z INFO nscd daemon is not installed, skip configuration
2017-03-05T17:53:18Z DEBUG args=/sbin/service nslcd status
2017-03-05T17:53:18Z DEBUG stdout=
2017-03-05T17:53:18Z DEBUG stderr=nslcd: unrecognized service

2017-03-05T17:53:18Z INFO nslcd daemon is not installed, skip configuration
2017-03-05T17:53:18Z INFO Client uninstall complete.
[root@testlab /]#
yabhinav commented 7 years ago

Could not find cert: IPA Machine Certificate - testlab.example.com : PR_FILE_NOT_FOUND_ERROR: File not found

Refer https://pagure.io/freeipa/issue/4444 and https://www.redhat.com/archives/freeipa-users/2015-March/msg00751.html

This issue is apparently fixed with freeipa 4.0.x and hence we don't see it in Fedora25 and CentOS6 images. 

[root@testlab /]# yum info ipa-cleint
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: centos.excellmedia.net
 * epel: mirror01.idc.hinet.net
 * extras: centos.excellmedia.net
 * updates: centos.excellmedia.net
Error: No matching Packages to list
[root@testlab /]# yum info ipa-client
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: centos.excellmedia.net
 * epel: mirror01.idc.hinet.net
 * extras: centos.excellmedia.net
 * updates: centos.excellmedia.net
Installed Packages
Name        : ipa-client
Arch        : x86_64
Version     : 3.0.0
Release     : 50.el6.centos.3
Size        : 312 k
Repo        : installed
From repo   : updates
Summary     : IPA authentication for use on clients
URL         : http://www.freeipa.org/
License     : GPLv3+
Description : IPA is an integrated solution to provide centrally managed Identity (machine,
            : user, virtual machines, groups, authentication credentials), Policy
            : (configuration settings, access control information) and Audit (events,
            : logs, analysis thereof). If your network uses IPA for authentication,
            : this package should be installed on every client machine.

[root@testlab /]#

In CentOS7 this issue doesn't exist

MacBook-Pro:ansible-role-ipaclient abhinav$ docker run -h testlab.example.com --name testlab --rm -it --volume="${PWD}":/etc/ansible/roles/role_under_test:ro yabhinav/ansible:centos7 bash
[root@testlab /]# yum info ipa-client
Loaded plugins: fastestmirror, ovl
base                                                                                                                                                          | 3.6 kB  00:00:00     
epel/x86_64/metalink                                                                                                                                          | 5.0 kB  00:00:00     
epel                                                                                                                                                          | 4.3 kB  00:00:00     
extras                                                                                                                                                        | 3.4 kB  00:00:00     
updates                                                                                                                                                       | 3.4 kB  00:00:00     
(1/7): base/7/x86_64/group_gz                                                                                                                                 | 155 kB  00:00:00     
(2/7): extras/7/x86_64/primary_db                                                                                                                             | 122 kB  00:00:00     
(3/7): epel/x86_64/group_gz                                                                                                                                   | 170 kB  00:00:01     
(4/7): updates/7/x86_64/primary_db                                                                                                                            | 3.8 MB  00:00:02     
(5/7): epel/x86_64/updateinfo                                                                                                                                 | 751 kB  00:00:04     
(6/7): base/7/x86_64/primary_db                                                                                                                               | 5.6 MB  00:00:05     
(7/7): epel/x86_64/primary_db                                                                                                                                 | 4.5 MB  00:00:06     
Determining fastest mirrors
 * base: mirror.fibergrid.in
 * epel: epel.mirror.angkasa.id
 * extras: mirror.fibergrid.in
 * updates: mirror.fibergrid.in
Available Packages
Name        : ipa-client
Arch        : x86_64
Version     : 4.4.0
Release     : 14.el7.centos.6
Size        : 230 k
Repo        : updates/7/x86_64
Summary     : IPA authentication for use on clients
URL         : http://www.freeipa.org/
License     : GPLv3+
Description : IPA is an integrated solution to provide centrally managed Identity (users,
            : hosts, services), Authentication (SSO, 2FA), and Authorization
            : (host access control, SELinux user roles, services). The solution provides
            : features for further integration with Linux based clients (SUDO, automount)
            : and integration with Active Directory based infrastructures (Trusts).
            : If your network uses IPA for authentication, this package should be
            : installed on every client machine.

[root@testlab /]#

Need to check if we can install ipa4.x in CentOS6

ash-ishh commented 4 years ago

I was facing issue with similar error message On running ipa-client-install with --debug it turned out to be following issue

* About to connect() to foo.bar.com port 443 (#0)
*   Trying 00.00.00.00...
* Connected to foo.bar.com (00.00.00.00) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* Server certificate:
*   subject: CN=foo.bar.com
*   start date: Aug 20 11:08:17 2020 GMT
*   expire date: Nov 18 11:08:17 2022 GMT
*   common name: foo.bar.com
*   issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
libcurl failed to execute the HTTP POST transaction, explaining:  Peer's Certificate issuer is not recognized.

Reason: ipa server reverse proxy was configured with letsencrypt certificate which wasn't configured in ipa-server This guide helped to configure it.

I know this is not related to repo or issue but posting in case someone like me stumbles upon this thread :)