[Freeipa-users] Problem in ipa-server-install -> uninstall -> install

Rob Crittenden rcritten at redhat.com
Tue Feb 14 14:24:40 UTC 2012 

Marco Pizzoli wrote:
> Hi guys,
> I'm running freeipa-server-2.1.4-5.fc16.x86_64.
>
> Following the documentation I can see that to uninstall and reinstall a
> freeipa system it is sufficient to:
>
>  > ipa-server-install <parameters>
>  > ipa-server-install --uninstall
>  > ipa-server-install <parameters>
>
> Well, when re-installing the system, I get this error on the console:
> [cut]
> done configuring named.
> Configuration of client side components failed!
> ipa-client-install returned: Command '/usr/sbin/ipa-client-install
> --on-master --unattended --domain unix.mydomain.it
> <http://unix.mydomain.it> --server freeipa01.unix.mydomain.it
> <http://freeipa01.unix.mydomain.it> --realm UNIX.MYDOMAIN.IT
> <http://UNIX.MYDOMAIN.IT> --hostname freeipa01.unix.mydomain.it
> <http://freeipa01.unix.mydomain.it>' returned non-zero exit status 1
>
> I had a look to /var/log/ipaclient-install.log and I saw these lines
>
> [cut]
> 2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
> http://freeipa01.unix.mydomain.it/ipa/config/ca.crt
> 2012-02-14 09:53:39,435 DEBUG stdout=
> 2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39--
> http://freeipa01.unix.mydomain.it/ipa/config/ca.crt
> Resolving freeipa01.unix.mydomain.it... 192.168.146.131
> Connecting to freeipa01.unix.mydomain.it
> <http://freeipa01.unix.mydomain.it>|192.168.146.131|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 1325 (1.3K) [application/x-x509-ca-cert]
> Saving to: <E2><80><9C>/etc/ipa/ca.crt<E2><80><9D>
>
>       0K .                                                     100%  270M=0s
>
> 2012-02-14 09:53:39 (270 MB/s) - <E2><80><9C>/etc/ipa/ca.crt<E2><80><9D>
> saved [1325/1325]
>
>
> 2012-02-14 09:53:39,436 DEBUG Backing up system configuration file
> '/etc/sssd/sssd.conf'
> 2012-02-14 09:53:39,463 DEBUG Saving Index File to
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it
> <http://unix.csebo.it> is already configured in existing SSSD config,
> creating a new one.
> 2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d
> /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
> 2012-02-14 09:53:39,643 DEBUG stdout=
> 2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain
> certificate from file: You are attempting to import a cert with the same
> issuer/serial as an existing cert, but that is not the same cert.
>
>
> So I tried a new "ipa-server-install --uninstall" and checked the file
> /etc/ipa/ca.crt. And it remained there.
> What is the problem?

The problem isn't the existence of the file, it is the existence of the 
cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d 
/etc/pki/nsdb

Re-install should succeed then.

rob

More information about the Freeipa-users mailing list