[Freeipa-users] IPA 4.2 - installer changes for --external-ca
James Masson
james.masson at jmips.co.uk
Tue Dec 15 16:18:01 UTC 2015
IPA 4.2 hit the Centos 7 mirrors a day or two ago.
It looks like the behaviour of the installer has changed somewhat with
regards to the 2 phase --external-ca install
Previously, we ran:
command => "/sbin/ipa-server-install -U -a '${ipa_admin_pwd}' -p
'${ipa_admin_pwd}' --hostname='${::fqdn}' -r '${ipa_realm}' -n
'${::domain}' --mkhomedir --setup-dns --forwarder=8.8.8.8 --external-ca",
then
command => "/sbin/ipa-server-install -p ${ipa_admin_pwd}
--external-cert-file=/root/ipa.crt
--external-cert-file=/etc/pki/ca-trust/source/anchors/root_ca.crt",
this worked fine.
The behaviour on IPA 4.2 is different - it will leave you without a DNS
server if you use the above commands. It doesn't seem to pass some
options through to the 2nd phase installer, one of which is the DNS
configuration.
We've now switched to this.
$ipa_install_command = "/sbin/ipa-server-install -U -a
'${ipa_admin_pwd}' -p '${ipa_admin_pwd}' -r '${ipa_realm}'"
command => "${ipa_install_command} --hostname='${::fqdn}' -n
'${::domain}' --external-ca",
command => "${ipa_install_command} --external-cert-file=/root/ipa.crt
--external-cert-file=/etc/pki/ca-trust/source/anchors/root_ca.crt
--mkhomedir --setup-dns --forwarder=8.8.8.8 ",
It seems you have to supply more information to the phase2 installer
than in IPA 4.1.
We do more than 10 installs of IPA per day as part of CI, I think now
we're back to a working configuration again.
Hopefully this will help others who come along this path.
James M
More information about the Freeipa-users
mailing list