[Freeipa-users] ipa-server-install --external-ca failed
Harald Dunkel
harald.dunkel at aixigo.de
Tue Dec 15 08:13:22 UTC 2015
ipa-server-install asked me to get the csr signed and come back,
but then it refused to continue:
# ipa-server-install -n example.com -r EXAMPLE.COM --external-ca --subject="C=DE,O=example AG" --setup-dns --forwarder=8.8.4.4 --forwarder=8.8.8.8
:
:
The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
# /usr/sbin/ipa-server-install --external-cert-file=/root/ipa_ipa1.crt --external-cert-file=/root/root-ca.crt
:
:
ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA certificate not found in /root/ipa_ipa1.crt, /root/root-ca.crt
openssl verify shows the certificate is OK:
# openssl verify -CAfile /root/root-ca.crt /root/ipa_ipa1.crt
/root/ipa_ipa1.crt: OK
# openssl verify -CAfile /root/root-ca.crt /root/root-ca.crt
/root/root-ca.crt: OK
The CA attribute is set as well, pathlen=0, etc:
# openssl x509 -in /root/ipa_ipa1.crt -noout -text | less
:
:
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
:
Google hasn't seen this error before, either (AFAICS). Every helpful
hint is highly appreciated.
Harri
More information about the Freeipa-users
mailing list