[Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured.

Rob Crittenden rcritten at redhat.com
Mon Jan 24 18:55:53 UTC 2011 

Jeff B wrote:
> I'm trying to do an ipa-server-install with an --external-ca but after
> it generates the .csr and I sign a .crt I can't run the followup
> ips-server-install to import the certificate.
>
> I don't think I'm supposed to run an --uninstall between  the
> --external-ca and the --external_cert_file installations but I'm not
> sure.
>
> Here is what I'm getting:
>
>
> [root at ipa0 ~]# ipa-server-install --setup-dns --forwarder="10.0.0.53
> 10.0.1.53" -U -p xxxxxxxx -a xxxxxxxx -u dirsrv -r MYREALM.COM
> --external-ca
>
> The log file for this installation can be found in
> /var/log/ipaserver-install.log
> ==============================================================================
> This program will set up the FreeIPA Server.
>
> This includes:
>    * Configure the Network Time Daemon (ntpd)
>    * Create and configure an instance of Directory Server
>    * Create and configure a Kerberos Key Distribution Center (KDC)
>    * Configure Apache (httpd)
>    * Configure DNS (bind)
>
> To accept the default shown in brackets, press the Enter key.
>
> Warning: Hostname (ipa0.averesys.com) not found in DNS
> The domain name has been calculated based on the host name.
>
> The IPA Master Server will be configured with
> Hostname:    ipa0.myrealm.com
> IP address:  10.0.0.11
> Domain name: myrealm.com
>
> Configuring ntpd
>    [1/4]: stopping ntpd
>    [2/4]: writing configuration
>    [3/4]: configuring ntpd to start on boot
>    [4/4]: starting ntpd
> done configuring ntpd.
> Configuring directory server for the CA: Estimated time 30 seconds
>    [1/3]: creating directory server user
>    [2/3]: creating directory server instance
>    [3/3]: restarting directory server
> done configuring pkids.
> Configuring certificate server: Estimated time 6 minutes
>    [1/4]: creating certificate server user
>    [2/4]: creating pki-ca instance
>    [3/4]: restarting certificate server
>    [4/4]: configuring certificate server instance
> The next step is to get /root/ipa.csr signed by your CA and re-run
> ipa-server-install as:
> ipa-server-install --external_cert_file=/path/to/signed_certificate
> --external_ca_file=/path/to/external_ca_certificate
>
> ... Signed the Certificate ...
>
> [root at ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt
> --external_ca_file=/root/ca.crt
>
> The log file for this installation can be found in
> /var/log/ipaserver-install.log
> IPA server is already configured on this system.
>
>
> [root at ipa0 ~]# cat /var/log/ipaserver-install.log
> 2011-01-24 11:36:14,214 DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2011-01-24 11:36:14,309 DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2011-01-24 11:36:14,336 DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'

Looks like a bug. You should be able to work around it by commenting out 
these lines in /usr/sbin/ipa-server-install:

         if dsinstance.DsInstance().is_configured() or 
cainstance.CADSInstance().is_configured():
             sys.exit("IPA server is already configured on this system.")

The python comment is a hash (#).

I opened ticket https://fedorahosted.org/freeipa/ticket/835 to track this.

rob

More information about the Freeipa-devel mailing list