"Download host certificate: " means that the “joining” hosts copies the /etc/univention/ssl/$HOSTNAME directory from the UCS Master (scp). Sometimes, i’m not sure why, this directory has not yet the correct permissions so that “$HOSTNAME” is not allowed the read these files. Is there such a directory (/etc/univention/ssl/openp*)
If i install openproject, the listener log looks like:
updating ‘cn=openp-54052695,cn=memberserver,cn=computers,dc=four,dc=two’ command a
23.10.17 12:43:25.375 LISTENER ( PROCESS ) : Generating krb5.keytab for openp-54052695
Creating certificate: openp-54052695.four.two
no certificate for openp-54052695.four.two registered
Generating RSA private key, 2048 bit long modulus
thanks for your help, but it seems that the master does not generate the certs at all. For other domain joins of containers it works well but for openp it does not generate anything.
Can you provide the listener.log of your UCS master server (please make sure there there are no sensitive information in the log file)? During the installation of the app a host account for the app is created and on the master server a listener module should create a corresponding certificate file.
even this is a pretty old thread, I’ve got a similar behaviour in our environment. All the certificate files/folders have been created successfully on the DCMaster. When it comes to join part of the app installation, it hangs at Download host certificate.
In the DCMasters /var/log/auth.log I see something like this:
pam_access(sshd:account): access denied for user `openp-78073436$' from `192.168.0.10'
Jan 8 16:09:00 ucsmaster sshd[28465]: Failed password for openp-78073436$ from 192.168.0.10 port 47630 ssh2
Jan 8 16:09:00 ucsmaster sshd[28465]: fatal: Access denied for user openp-78073436$ by PAM account configuration [preauth]