Dmitry Krasov via FreeIPA-users wrote: > Hello. Trying to enroll Ubuntu 24.04 to domain, but it says "certificate > verify failed: Hostname mismatch, certificate is not valid for > 'ipa2.dom.loc'. (_ssl.c :1000)" > But when I trying ipa web adress via browser it's seems fine. It's selfsigned > like always, but date and name are fine. And just recently I have > successfully added another one host > How can I fix it? Maybe I can disable certificate checking somehow, just for > start? > > > sudo ipa-client-install --hostname dit-ntb-spc39-1797875.dom.loc > --server=ipa2.dom.loc --enable-dns-updates --domain dom.loc --mkhomedir -p > admin -w Password --force-join > > This program will set up IPA client. > > Version 4.11.1 > > > > WARNING: conflicting time&date synchronization service 'ntp' will be disabled > in favor of chronyd > > > > Using existing certificate '/etc/ipa/ca.crt'. > > Autodiscovery of servers for failover cannot work with this configuration. > > If you proceed with the installation, services will be configured to always > access the discovered server for all operations and will not fail over to > other servers in case of failure. > > Proceed with fixed values and no DNS discovery? [no]: y > > Do you want to configure chrony with NTP server or pool address? [no]: > > Client hostname: dit-ntb-spc39-1797875.dom.loc > > Realm: dom.loc > > DNS Domain: dom.loc > > IPA Server: ipa2.dom.loc > > BaseDN: dc=l3874,dc=ru > > > > Continue to configure the system with these values? [no]: y > > Removed old keys for realm dom.loc from /etc/krb5.keytab > > Synchronizing time > > Configuration of chrony was changed by installer. > > Attempting to sync time with chronyc. > > Time synchronization was successful. > > Enrolled in IPA realm dom.loc > > Created /etc/ipa/default.conf > > Domain dom.loc is already configured in existing SSSD config, creating a new > one. > > The old /etc/sssd/sssd.conf is backed up and will be restored during > uninstall. > > Configured /etc/sssd/sssd.conf > > Connection to https://ipa2.dom.loc/ipa/json failed with [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, > certificate is not valid for 'ipa2.dom.loc'. (_ssl.c :1000) > > Connection to https://ipa.dom.loc/ipa/json failed with [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, > certificate is not valid for 'ipa.dom.loc'. (_ssl.c:1000) > > cannot connect to 'любой из настроенных серверов': > https://ipa2.dom.loc/ipa/json, https://ipa.dom.loc/ipa/json > > The ipa-client-install command failed. See /var/log/ipaclient-install.log for > more information >
There is no option to disable cert validation. On the IPA server you can see what names it will answer for in this output: # openssl x509 -noout -in /var/lib/ipa/certs/httpd.crt -ext subjectAltName rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
