[Freeipa-devel] Problem trying to install --external_cert_file. says system is already configured.

Jeff B jeffb.list at gmail.com
Mon Jan 24 19:44:46 UTC 2011 

I don't want to start filing tickets since I'm not that familiar with
the project but here is another similar one where the checks aren't
necessarily doing what they are intended to be doing.

Steps:
1. ran install with --external-ca
2. tried running with --external_cert_file but hit error in #835
3. Did workaround to commented out the configuration check and exit
message like suggested by Rob
4. tried importing the cert again but got an error saying connection
refused on "Attempting to connect to: ipa0.myrealm.com:9445"
5. I didn't know what service wasn't running so I rebooted (yeah, bad jeff)
6. I tried running  --external_cert_file again but it looked like it
had forgotten all my configs and looked like it was starting over. It
prompted me:

An existing Directory Server has been detected.
Do you wish to remove it and create a new one? [no]:

I chose 'no' and the installer exited.

7. Did an --uninstall
8. tried to start fresh but it failed with this error:

You already have a CA signing request for this server (/root/ipa.csr),
you need to include --external_cert_file and --external_ca_file

Which is not right because since I uninstalled I can't just add the
certs.  Either the uninstall needs to clean up the .csr or the
installer needs to not assume so much just from the existence of a
.csr


On Mon, Jan 24, 2011 at 1:55 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Jeff B wrote:
>>
>> I'm trying to do an ipa-server-install with an --external-ca but after
>> it generates the .csr and I sign a .crt I can't run the followup
>> ips-server-install to import the certificate.
>>
>> I don't think I'm supposed to run an --uninstall between  the
>> --external-ca and the --external_cert_file installations but I'm not
>> sure.
>>
>> Here is what I'm getting:
>>
>>
>> [root at ipa0 ~]# ipa-server-install --setup-dns --forwarder="10.0.0.53
>> 10.0.1.53" -U -p xxxxxxxx -a xxxxxxxx -u dirsrv -r MYREALM.COM
>> --external-ca
>>
>> The log file for this installation can be found in
>> /var/log/ipaserver-install.log
>>
>> ==============================================================================
>> This program will set up the FreeIPA Server.
>>
>> This includes:
>>   * Configure the Network Time Daemon (ntpd)
>>   * Create and configure an instance of Directory Server
>>   * Create and configure a Kerberos Key Distribution Center (KDC)
>>   * Configure Apache (httpd)
>>   * Configure DNS (bind)
>>
>> To accept the default shown in brackets, press the Enter key.
>>
>> Warning: Hostname (ipa0.averesys.com) not found in DNS
>> The domain name has been calculated based on the host name.
>>
>> The IPA Master Server will be configured with
>> Hostname:    ipa0.myrealm.com
>> IP address:  10.0.0.11
>> Domain name: myrealm.com
>>
>> Configuring ntpd
>>   [1/4]: stopping ntpd
>>   [2/4]: writing configuration
>>   [3/4]: configuring ntpd to start on boot
>>   [4/4]: starting ntpd
>> done configuring ntpd.
>> Configuring directory server for the CA: Estimated time 30 seconds
>>   [1/3]: creating directory server user
>>   [2/3]: creating directory server instance
>>   [3/3]: restarting directory server
>> done configuring pkids.
>> Configuring certificate server: Estimated time 6 minutes
>>   [1/4]: creating certificate server user
>>   [2/4]: creating pki-ca instance
>>   [3/4]: restarting certificate server
>>   [4/4]: configuring certificate server instance
>> The next step is to get /root/ipa.csr signed by your CA and re-run
>> ipa-server-install as:
>> ipa-server-install --external_cert_file=/path/to/signed_certificate
>> --external_ca_file=/path/to/external_ca_certificate
>>
>> ... Signed the Certificate ...
>>
>> [root at ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt
>> --external_ca_file=/root/ca.crt
>>
>> The log file for this installation can be found in
>> /var/log/ipaserver-install.log
>> IPA server is already configured on this system.
>>
>>
>> [root at ipa0 ~]# cat /var/log/ipaserver-install.log
>> 2011-01-24 11:36:14,214 DEBUG Loading StateFile from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2011-01-24 11:36:14,309 DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2011-01-24 11:36:14,336 DEBUG Loading StateFile from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>
> Looks like a bug. You should be able to work around it by commenting out
> these lines in /usr/sbin/ipa-server-install:
>
>        if dsinstance.DsInstance().is_configured() or
> cainstance.CADSInstance().is_configured():
>            sys.exit("IPA server is already configured on this system.")
>
> The python comment is a hash (#).
>
> I opened ticket https://fedorahosted.org/freeipa/ticket/835 to track this.
>
> rob
>

More information about the Freeipa-devel mailing list