<br><br><div class="gmail_quote">On Tue, Feb 14, 2012 at 8:25 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Marco Pizzoli wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
<br>
<br>
On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br></div><div class="im">
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
<br>
Marco Pizzoli wrote:<br>
<br>
Hi guys,<br></div>
I'm running freeipa-server-2.1.4-5.fc16.__<u></u>x86_64.<div class="im"><br>
<br>
Following the documentation I can see that to uninstall and<br>
reinstall a<br>
freeipa system it is sufficient to:<br>
<br>
> ipa-server-install <parameters><br>
> ipa-server-install --uninstall<br>
> ipa-server-install <parameters><br>
<br>
Well, when re-installing the system, I get this error on the<br>
console:<br>
[cut]<br>
done configuring named.<br>
Configuration of client side components failed!<br>
ipa-client-install returned: Command '/usr/sbin/ipa-client-install<br>
--on-master --unattended --domain <a href="http://unix.mydomain.it" target="_blank">unix.mydomain.it</a><br>
<<a href="http://unix.mydomain.it" target="_blank">http://unix.mydomain.it</a>><br>
<<a href="http://unix.mydomain.it" target="_blank">http://unix.mydomain.it</a>> --server <a href="http://freeipa01.unix.mydomain.it" target="_blank">freeipa01.unix.mydomain.it</a><br>
<<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.<u></u>mydomain.it</a>><br></div>
<<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it" target="_blank">mydom<u></u>ain.it</a><div class="im"><br>
<<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.<u></u>mydomain.it</a>>> --realm <a href="http://UNIX.MYDOMAIN.IT" target="_blank">UNIX.MYDOMAIN.IT</a><br>
<<a href="http://UNIX.MYDOMAIN.IT" target="_blank">http://UNIX.MYDOMAIN.IT</a>><br>
<<a href="http://UNIX.MYDOMAIN.IT" target="_blank">http://UNIX.MYDOMAIN.IT</a>> --hostname <a href="http://freeipa01.unix.mydomain.it" target="_blank">freeipa01.unix.mydomain.it</a><br>
<<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.<u></u>mydomain.it</a>><br></div>
<<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it" target="_blank">mydom<u></u>ain.it</a><div class="im"><br>
<<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.<u></u>mydomain.it</a>>>' returned non-zero exit<br>
status 1<br>
<br>
<br>
I had a look to /var/log/ipaclient-install.log and I saw these lines<br>
<br>
[cut]<br>
2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt<br></div>
<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/config/ca.crt" target="_blank">mydoma<u></u>in.it/ipa/config/ca.crt</a><div class="im"><br>
<<a href="http://freeipa01.unix.mydomain.it/ipa/config/ca.crt" target="_blank">http://freeipa01.unix.<u></u>mydomain.it/ipa/config/ca.crt</a>><br>
2012-02-14 09:53:39,435 DEBUG stdout=<br>
2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39--<br></div>
<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/config/ca.crt" target="_blank">mydoma<u></u>in.it/ipa/config/ca.crt</a><div class="im"><br>
<<a href="http://freeipa01.unix.mydomain.it/ipa/config/ca.crt" target="_blank">http://freeipa01.unix.<u></u>mydomain.it/ipa/config/ca.crt</a>><br>
Resolving freeipa01.unix.mydomain.it... 192.168.146.131<br>
Connecting to <a href="http://freeipa01.unix.mydomain.it" target="_blank">freeipa01.unix.mydomain.it</a><br>
<<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.<u></u>mydomain.it</a>><br></div>
<<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it" target="_blank">mydom<u></u>ain.it</a><br>
<<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.<u></u>mydomain.it</a>>>|192.168.146.131|<u></u>:__80...<div class="im"><br>
connected.<br>
<br>
HTTP request sent, awaiting response... 200 OK<br>
Length: 1325 (1.3K) [application/x-x509-ca-cert]<br></div>
Saving to: <E2><80><9C>/etc/ipa/ca.crt<__<u></u>E2><80><9D><div class="im"><br>
<br>
0K .<br>
100% 270M=0s<br>
<br>
2012-02-14 09:53:39 (270 MB/s) -<br></div>
<E2><80><9C>/etc/ipa/ca.crt<__<u></u>E2><80><9D><div class="im"><br>
saved [1325/1325]<br>
<br>
<br>
2012-02-14 09:53:39,436 DEBUG Backing up system configuration file<br>
'/etc/sssd/sssd.conf'<br>
2012-02-14 09:53:39,463 DEBUG Saving Index File to<br></div>
'/var/lib/ipa-client/__<u></u>sysrestore/sysrestore.index'<div class="im"><br>
2012-02-14 09:53:39,540 DEBUG Domain <a href="http://unix.csebo.it" target="_blank">unix.csebo.it</a><br>
<<a href="http://unix.csebo.it" target="_blank">http://unix.csebo.it</a>><br>
<<a href="http://unix.csebo.it" target="_blank">http://unix.csebo.it</a>> is already configured in existing SSSD<br>
config,<br>
<br>
creating a new one.<br>
2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d<br>
/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt<br>
2012-02-14 09:53:39,643 DEBUG stdout=<br>
2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain<br>
certificate from file: You are attempting to import a cert with<br>
the same<br>
issuer/serial as an existing cert, but that is not the same cert.<br>
<br>
<br>
So I tried a new "ipa-server-install --uninstall" and checked<br>
the file<br>
/etc/ipa/ca.crt. And it remained there.<br>
What is the problem?<br>
<br>
<br>
The problem isn't the existence of the file, it is the existence of<br>
the cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d<br>
/etc/pki/nsdb<br>
<br>
<br>
[root@freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/<br>
certutil: could not find certificate named "IPA CA": security library:<br>
bad database.<br>
</div></blockquote>
<br>
Well that's strange. Can you run: certutil -L -d /etc/pki/nssdb ?<span class="HOEnZb"><font color="#888888"><br></font></span></blockquote><div><br>More strange... I re-did a freeipa-install and it worked... <br>Thanks anyway <br>
</div></div><br>