[Freeipa-users] Problem in ipa-server-install -> uninstall -> install
Rob Crittenden
rcritten at redhat.com
Tue Feb 14 19:25:45 UTC 2012
Marco Pizzoli wrote:
>
>
> On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Marco Pizzoli wrote:
>
> Hi guys,
> I'm running freeipa-server-2.1.4-5.fc16.__x86_64.
>
> Following the documentation I can see that to uninstall and
> reinstall a
> freeipa system it is sufficient to:
>
> > ipa-server-install <parameters>
> > ipa-server-install --uninstall
> > ipa-server-install <parameters>
>
> Well, when re-installing the system, I get this error on the
> console:
> [cut]
> done configuring named.
> Configuration of client side components failed!
> ipa-client-install returned: Command '/usr/sbin/ipa-client-install
> --on-master --unattended --domain unix.mydomain.it
> <http://unix.mydomain.it>
> <http://unix.mydomain.it> --server freeipa01.unix.mydomain.it
> <http://freeipa01.unix.mydomain.it>
> <http://freeipa01.unix.__mydomain.it
> <http://freeipa01.unix.mydomain.it>> --realm UNIX.MYDOMAIN.IT
> <http://UNIX.MYDOMAIN.IT>
> <http://UNIX.MYDOMAIN.IT> --hostname freeipa01.unix.mydomain.it
> <http://freeipa01.unix.mydomain.it>
> <http://freeipa01.unix.__mydomain.it
> <http://freeipa01.unix.mydomain.it>>' returned non-zero exit
> status 1
>
>
> I had a look to /var/log/ipaclient-install.log and I saw these lines
>
> [cut]
> 2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
> http://freeipa01.unix.__mydomain.it/ipa/config/ca.crt
> <http://freeipa01.unix.mydomain.it/ipa/config/ca.crt>
> 2012-02-14 09:53:39,435 DEBUG stdout=
> 2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39--
> http://freeipa01.unix.__mydomain.it/ipa/config/ca.crt
> <http://freeipa01.unix.mydomain.it/ipa/config/ca.crt>
> Resolving freeipa01.unix.mydomain.it... 192.168.146.131
> Connecting to freeipa01.unix.mydomain.it
> <http://freeipa01.unix.mydomain.it>
> <http://freeipa01.unix.__mydomain.it
> <http://freeipa01.unix.mydomain.it>>|192.168.146.131|:__80...
> connected.
>
> HTTP request sent, awaiting response... 200 OK
> Length: 1325 (1.3K) [application/x-x509-ca-cert]
> Saving to: <E2><80><9C>/etc/ipa/ca.crt<__E2><80><9D>
>
> 0K .
> 100% 270M=0s
>
> 2012-02-14 09:53:39 (270 MB/s) -
> <E2><80><9C>/etc/ipa/ca.crt<__E2><80><9D>
> saved [1325/1325]
>
>
> 2012-02-14 09:53:39,436 DEBUG Backing up system configuration file
> '/etc/sssd/sssd.conf'
> 2012-02-14 09:53:39,463 DEBUG Saving Index File to
> '/var/lib/ipa-client/__sysrestore/sysrestore.index'
> 2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it
> <http://unix.csebo.it>
> <http://unix.csebo.it> is already configured in existing SSSD
> config,
>
> creating a new one.
> 2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d
> /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
> 2012-02-14 09:53:39,643 DEBUG stdout=
> 2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain
> certificate from file: You are attempting to import a cert with
> the same
> issuer/serial as an existing cert, but that is not the same cert.
>
>
> So I tried a new "ipa-server-install --uninstall" and checked
> the file
> /etc/ipa/ca.crt. And it remained there.
> What is the problem?
>
>
> The problem isn't the existence of the file, it is the existence of
> the cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d
> /etc/pki/nsdb
>
>
> [root at freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/
> certutil: could not find certificate named "IPA CA": security library:
> bad database.
Well that's strange. Can you run: certutil -L -d /etc/pki/nssdb ?
rob
More information about the Freeipa-users
mailing list