[Freeipa-users] IPA 4.2 - installer changes for --external-ca

[James Masson]

IPA 4.2 hit the Centos 7 mirrors a day or two ago.

It looks like the behaviour of the installer has changed somewhat with 
regards to the 2 phase --external-ca install

Previously, we ran:

command => "/sbin/ipa-server-install -U -a '${ipa_admin_pwd}' -p 
'${ipa_admin_pwd}' --hostname='${::fqdn}' -r '${ipa_realm}' -n 
'${::domain}' --mkhomedir --setup-dns --forwarder=8.8.8.8 --external-ca",


then

command => "/sbin/ipa-server-install -p ${ipa_admin_pwd} 
--external-cert-file=/root/ipa.crt 
--external-cert-file=/etc/pki/ca-trust/source/anchors/root_ca.crt",


this worked fine.

The behaviour on IPA 4.2 is different - it will leave you without a DNS 
server if you use the above commands. It doesn't seem to pass some 
options through to the 2nd phase installer, one of which is the DNS 
configuration.

We've now switched to this.

   $ipa_install_command = "/sbin/ipa-server-install -U -a 
'${ipa_admin_pwd}' -p '${ipa_admin_pwd}' -r '${ipa_realm}'"

command => "${ipa_install_command} --hostname='${::fqdn}' -n 
'${::domain}' --external-ca",

command => "${ipa_install_command} --external-cert-file=/root/ipa.crt 
--external-cert-file=/etc/pki/ca-trust/source/anchors/root_ca.crt 
--mkhomedir --setup-dns --forwarder=8.8.8.8 ",


It seems you have to supply more information to the phase2 installer 
than in IPA 4.1.

We do more than 10 installs of IPA per day as part of CI, I think now 
we're back to a working configuration again.

Hopefully this will help others who come along this path.

James M