[Freeipa-users] a fix - fedora domain vs rhel domain
Janelle
janellenicole80 at gmail.com
Wed Jan 7 15:52:39 UTC 2015
Here is the snippet with the error:
2015-01-07T14:04:57Z DEBUG Adding CA certificates to the IPA NSS database.
2015-01-07T14:04:57Z DEBUG Starting external process
2015-01-07T14:04:57Z DEBUG args='/usr/bin/certutil' '-d'
'/etc/ipa/nssdb' '-A' '-n' 'ANOTHER.COM IPA CA' '-t' 'CT,C,C'
2015-01-07T14:04:57Z DEBUG Process finished, return code=0
2015-01-07T14:04:57Z DEBUG stdout=
2015-01-07T14:04:57Z DEBUG stderr=
2015-01-07T14:04:57Z DEBUG Starting external process
2015-01-07T14:04:57Z DEBUG args='/usr/bin/update-ca-trust'
2015-01-07T14:04:58Z DEBUG Process finished, return code=1
2015-01-07T14:04:58Z DEBUG stdout=
2015-01-07T14:04:58Z DEBUG stderr=p11-kit: ipa.p11-kit:
x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or
unrecognizable
2015-01-07T14:04:58Z ERROR Could not update systemwide CA trust
database: Command ''/usr/bin/update-ca-trust'' returned non-zero exit
status 1
2015-01-07T14:04:58Z DEBUG Attempting to add CA certificates to the
default NSS database.
2015-01-07T14:04:58Z DEBUG Starting external process
2015-01-07T14:04:58Z DEBUG args='/usr/bin/certutil' '-d'
'/etc/pki/nssdb' '-A' '-n' 'ANOTHER.COM IPA CA' '-t' 'CT,C,C'
2015-01-07T14:04:58Z DEBUG Process finished, return code=255
2015-01-07T14:04:58Z DEBUG stdout=
2015-01-07T14:04:58Z DEBUG stderr=certutil: could not decode
certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to
import a cert with the same issuer/serial as an existing cert, but that
is not the same cert.
2015-01-07T14:04:58Z ERROR Failed to add ANOTHER.COM IPA CA to the
default NSS database.
2015-01-07T14:04:58Z WARNING Installation failed. As this is IPA server,
changes will not be rolled back.
On 1/7/15 7:19 AM, Martin Kosek wrote:
> On 01/07/2015 02:51 PM, Janelle wrote:
>> Hello fellow IPAers
>>
>> I know this has been written about before - the python scripts and
>> fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a
>> permanent fix yet? I continue to run into it during installs and have to edit
>> python files to get the client install to not error out duruing the server
>> install. This is of course with CentOS 7 and IPA 4.1.2.
>>
>> Any options/comments?
>> Thank you
>> Janelle
>>
>> --------------------------------
>> (install snippet)
>> Done.
>> Restarting the directory server
>> Restarting the KDC
>> Restarting the certificate server
>> Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db
>> Restarting the web server
>> Configuration of client side components failed!
>> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
>> '--on-master' '--unattended' '--domain' 'another.com' '--server'
>> 'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com''
>> returned non-zero exit status 1
>>
> Hi Janelle,
>
> Yes, this should have been resolved in
> https://fedorahosted.org/freeipa/ticket/4562
> CCing Jan.
>
> Are you sure it is caused by this problem? Can you add a snippet of the
> ipaclient-install.log with the actual failures? Your install snippet does not
> help that much.
>
> Can you please also check that you have the right FreeIPA platform file loaded?
> At least giving us output from this grep should help:
>
> $ grep domainname /usr/lib/python2.7/site-packages/ipaplatform/services.py
>
> Thanks,
> Martin
More information about the Freeipa-users
mailing list