freeipa team mailing list archive

Thread
Date

[Bug 1975858] Re: Install client fails in Ubuntu 22.04

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Gustavo Berman <1975858@xxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Jun 2022 17:57:33 -0000
Reply-to: Bug 1975858 <1975858@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

[solved]
Freeipa server certificate was missing DNS SAN

ipa-client-install worked just fine after installing a new certificate
with DNS SAN at the freeipa server

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1975858

Title:
  Install client fails in Ubuntu 22.04

Status in freeipa package in Ubuntu:
  New

Bug description:
  Hello there!

  Ubuntu 18.04 (and previous ones) works just fine, but in Ubuntu 22.04
  (fresh vm install and apt update) I'm trying to execute ipa-client-
  install but it fails like this:

  root@fisica75:~# ipa-client-install
  This program will set up IPA client.
  Version 4.9.8

  WARNING: conflicting time&date synchronization service 'ntp' will be
  disabled in favor of chronyd

  Discovery was successful!
  Do you want to configure chrony with NTP server or pool address? [no]:
  Client hostname: fisica75.fisica.cabib
  Realm: FISICA.CABIB
  DNS Domain: fisica.cabib
  IPA Server: ipaserver.fisica.cabib
  BaseDN: dc=fisica,dc=cabib

  Continue to configure the system with these values? [no]: yes
  Synchronizing time
  No SRV records of NTP servers found and no NTP server or pool address was provided.
  Using default chrony configuration.
  Attempting to sync time with chronyc.
  Time synchronization was successful.
  User authorized to enroll computers: tavo
  Password for tavo@FISICA.CABIB:
  Successfully retrieved CA cert
      Subject:     CN=Certificate Authority,O=FISICA.CABIB
      Issuer:      CN=Certificate Authority,O=FISICA.CABIB
      Valid From:  2014-01-14 12:56:57
      Valid Until: 2034-01-14 12:56:57

  Enrolled in IPA realm FISICA.CABIB
  Created /etc/ipa/default.conf
  Configured /etc/sssd/sssd.conf
  Configured /etc/krb5.conf for IPA realm FISICA.CABIB
  cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
  The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
  root@fisica75:~#

  There is no Hostname mismatch for the server certificate. It has been
  working just fine for years with multiple distros as clients. I can
  access the website with the same URL and cert is just fine.

  Any ideas?
  Thanks!

  
  lsb_release -rd
  Description:	Ubuntu 22.04 LTS
  Release:	22.04

  
  apt-cache policy freeipa-client
  freeipa-client:
    Instalados: 4.9.8-1
    Candidato:  4.9.8-1
    Tabla de versión:
   *** 4.9.8-1 500
          500 http://www.fisica.cabib/ubuntu jammy/universe amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1975858/+subscriptions

References

[Bug 1975858] [NEW] Install client fails in Ubuntu 22.04
From: Gustavo Berman, 2022-05-26