Ubuntu
freeipa package

Install client fails in Ubuntu 22.04

Bug #1975858 reported by Gustavo Berman
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Hello there!

Ubuntu 18.04 (and previous ones) works just fine, but in Ubuntu 22.04 (fresh vm install and apt update) I'm trying to execute ipa-client-install but it fails like this:

root@fisica75:~# ipa-client-install
This program will set up IPA client.
Version 4.9.8

WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd

Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: fisica75.fisica.cabib
Realm: FISICA.CABIB
DNS Domain: fisica.cabib
IPA Server: ipaserver.fisica.cabib
BaseDN: dc=fisica,dc=cabib

Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: tavo
Password for <email address hidden>:
Successfully retrieved CA cert
    Subject: CN=Certificate Authority,O=FISICA.CABIB
    Issuer: CN=Certificate Authority,O=FISICA.CABIB
    Valid From: 2014-01-14 12:56:57
    Valid Until: 2034-01-14 12:56:57

Enrolled in IPA realm FISICA.CABIB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm FISICA.CABIB
cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
root@fisica75:~#

There is no Hostname mismatch for the server certificate. It has been working just fine for years with multiple distros as clients. I can access the website with the same URL and cert is just fine.

Any ideas?
Thanks!

lsb_release -rd
Description: Ubuntu 22.04 LTS
Release: 22.04

apt-cache policy freeipa-client
freeipa-client:
  Instalados: 4.9.8-1
  Candidato: 4.9.8-1
  Tabla de versión:
 *** 4.9.8-1 500
        500 http://www.fisica.cabib/ubuntu jammy/universe amd64 Packages
        100 /var/lib/dpkg/status

Revision history for this message
Gustavo Berman (gustavoberman) wrote :
Revision history for this message
Gustavo Berman (gustavoberman) wrote :

[solved]
Freeipa server certificate was missing DNS SAN

ipa-client-install worked just fine after installing a new certificate with DNS SAN at the freeipa server

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

ok thanks, closing

Changed in freeipa (Ubuntu):
status: New → Invalid
Revision history for this message
madhu kunta (madhukunta) wrote (last edit ):

Hi Team, I also have the same issue.
What does it mean "installing new certificate with DNS SAN at the Freeipa server"?

Right now, we have a self signed certificate for IPA and not sure what DNS SAN names in this case.
Any specific command like "certmonger", which will do the job.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.