<div class="gmail_quote">On Tue, Feb 14, 2012 at 8:25 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Marco Pizzoli wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> </div><div class="im"> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote: Marco Pizzoli wrote: Hi guys, </div> I'm running freeipa-server-2.1.4-5.fc16.__x86_64.<div class="im"> Following the documentation I can see that to uninstall and reinstall a freeipa system it is sufficient to: > ipa-server-install <parameters> > ipa-server-install --uninstall > ipa-server-install <parameters> Well, when re-installing the system, I get this error on the console: [cut] done configuring named. Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain <a href="http://unix.mydomain.it" target="_blank">unix.mydomain.it</a> <<a href="http://unix.mydomain.it" target="_blank">http://unix.mydomain.it</a>> <<a href="http://unix.mydomain.it" target="_blank">http://unix.mydomain.it</a>> --server <a href="http://freeipa01.unix.mydomain.it" target="_blank">freeipa01.unix.mydomain.it</a> <<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.mydomain.it</a>> </div> <<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it" target="_blank">mydomain.it</a><div class="im"> <<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.mydomain.it</a>>> --realm <a href="http://UNIX.MYDOMAIN.IT" target="_blank">UNIX.MYDOMAIN.IT</a> <<a href="http://UNIX.MYDOMAIN.IT" target="_blank">http://UNIX.MYDOMAIN.IT</a>> <<a href="http://UNIX.MYDOMAIN.IT" target="_blank">http://UNIX.MYDOMAIN.IT</a>> --hostname <a href="http://freeipa01.unix.mydomain.it" target="_blank">freeipa01.unix.mydomain.it</a> <<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.mydomain.it</a>> </div> <<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it" target="_blank">mydomain.it</a><div class="im"> <<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.mydomain.it</a>>>' returned non-zero exit status 1 I had a look to /var/log/ipaclient-install.log and I saw these lines [cut] 2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt </div> <a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/config/ca.crt" target="_blank">mydomain.it/ipa/config/ca.crt</a><div class="im"> <<a href="http://freeipa01.unix.mydomain.it/ipa/config/ca.crt" target="_blank">http://freeipa01.unix.mydomain.it/ipa/config/ca.crt</a>> 2012-02-14 09:53:39,435 DEBUG stdout= 2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39-- </div> <a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it/ipa/config/ca.crt" target="_blank">mydomain.it/ipa/config/ca.crt</a><div class="im"> <<a href="http://freeipa01.unix.mydomain.it/ipa/config/ca.crt" target="_blank">http://freeipa01.unix.mydomain.it/ipa/config/ca.crt</a>> Resolving freeipa01.unix.mydomain.it... 192.168.146.131 Connecting to <a href="http://freeipa01.unix.mydomain.it" target="_blank">freeipa01.unix.mydomain.it</a> <<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.mydomain.it</a>> </div> <<a href="http://freeipa01.unix." target="_blank">http://freeipa01.unix.</a>__<a href="http://mydomain.it" target="_blank">mydomain.it</a> <<a href="http://freeipa01.unix.mydomain.it" target="_blank">http://freeipa01.unix.mydomain.it</a>>>|192.168.146.131|:__80...<div class="im"> connected. HTTP request sent, awaiting response... 200 OK Length: 1325 (1.3K) [application/x-x509-ca-cert] </div> Saving to: <E2><80><9C>/etc/ipa/ca.crt<__E2><80><9D><div class="im"> 0K . 100% 270M=0s 2012-02-14 09:53:39 (270 MB/s) - </div> <E2><80><9C>/etc/ipa/ca.crt<__E2><80><9D><div class="im"> saved [1325/1325] 2012-02-14 09:53:39,436 DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2012-02-14 09:53:39,463 DEBUG Saving Index File to </div> '/var/lib/ipa-client/__sysrestore/sysrestore.index'<div class="im"> 2012-02-14 09:53:39,540 DEBUG Domain <a href="http://unix.csebo.it" target="_blank">unix.csebo.it</a> <<a href="http://unix.csebo.it" target="_blank">http://unix.csebo.it</a>> <<a href="http://unix.csebo.it" target="_blank">http://unix.csebo.it</a>> is already configured in existing SSSD config, creating a new one. 2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt 2012-02-14 09:53:39,643 DEBUG stdout= 2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain certificate from file: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. So I tried a new "ipa-server-install --uninstall" and checked the file /etc/ipa/ca.crt. And it remained there. What is the problem? The problem isn't the existence of the file, it is the existence of the cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d /etc/pki/nsdb [root@freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/ certutil: could not find certificate named "IPA CA": security library: bad database. </div></blockquote> Well that's strange. Can you run: certutil -L -d /etc/pki/nssdb ? </blockquote><div> More strange... I re-did a freeipa-install and it worked... Thanks anyway </div></div>