I want to setup centralized user management. First to grant access to Linux servers and later also to grant access to other services via LDAP. As i'm new to this, I did some research on Google and I think FreeIPA will fit our requirements.
I installed a CentOS 8 server and installed FreeIPA server. This was pretty straight forward and i'm able to login into the web interface. I do not use the FreeIPA DNS as we have a seperated DNS server. For my test setup I do not use an DNS server at all and just added the client record to the FreeIPA server host file and added the server record tot the FreeIPA client host file. I'm able to ping the server from the client and visa versa by its FQDN and by its hostname.
My client is a Ubuntu server 20.04 client and i installed freeipa-client and tried to configure it with the command ipa-client-install --mkhomedir --no-ntp. I followed the wizard:
- IPA server domain = internal.domain.com
- IPS server name = ipasrv-hostname
- Proceed with fixed DNS values = yes
- Configure client with these values = yes
- User authorized to enroll computers = admin
- password for admin@ipasrv-hostname.internal.domain.com = the password off course
- Do you want to download the CA cert from http://axx-fipa-srv01/ipa/config/ca.crt? <= I'm stuck here!
When i choose yes, i receive:
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: error setting certificate verify locations:
CAfile: /etc/ipa/ca.crt
CApath: /etc/ssl/certs
Installation failed. Rolling back changes.
When i choose no, the configuration directly fails:
Cannot obtain CA certificate
HTTP certificate download declined by user
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Off course i checked the logs and googled the error but was not able to solve this yet.
What i'm doing wrong?
Also i'm a bit concerned about the warning that its insecure to receive the CA.crt via the (http) url. I understand why but how can i solve this issue? Manually "install" the certificates on the client? where do i get them from an where do i need to place them?
Update
@Gerald Schneider's comment made me think that it indeed can be a permission issue. As i understand this libcurl failed to execute the HTTP POST transaction, explaining: error setting certificate verify locations well, it means that it tries to "set" something on the FreeIPA server but the server/application is not able to write to the /etc/ipa and /etc/ssl/cert folder. Can i test this?
Best Answer
Check DNS. Found this when I had the same error. I was a satellite location where I had no control of DNS. I ended up putting the ipa servers hostname ('hostname -f') into the hosts file of the client and then it worked.