Something is printing an error to stderr which is confusing the check for certificate subject base.
ipa-client-install ... Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. Enrolled in IPA realm EXAMPLE.COM
/usr/lib/python3.7/site-packages/ipaclient/install/client.py(2692)_install() -> subject_base = DN(subject_base) (Pdb) pp subject_base ('O=EXAMPLE.COM\n' 'Warning: ssh still initialized; probably ssh_init() was called more than ' 'once (init count: 1)')
This causes the DN creation to blow up and the installation is rolled back.
Two thoughts on this:
Metadata Update from @abiagion: - Issue set to the milestone: FreeIPA 4.7.1
Metadata Update from @rcritten: - Issue assigned to rcritten
The subject base is actually used in the client installer as a fallback if the LDAP search for CAs fails and to pass to certmonger when generating the subject if issuing a host cert.
I think using config_show is a better solution overall and it is what ipa-join does currently for the Kerberos join method.
Metadata Update from @abiagion: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1619644
https://github.com/freeipa/freeipa/pull/2299
master:
ipa-4-7:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.