[Freeipa-users] Reinstall ipa client, problem with old CA
Martin Kosek
mkosek at redhat.com
Tue May 19 05:53:38 UTC 2015
On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote:
> Hello!
>
> I'm trying to reinstall ipa client, but have a problem with old/existing
> ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA
> server still on development and always reinstalled, I need to reproduce
> any possible problem/error on FreeIPA 4.x on CentOS 7.
>
> The error was :
> LDAP Error: Connect error: TLS error -8054:You are attempting to import
> a cert with the same issuer/serial as an existing cert, but that is not
> the same cert.
>
> Currently, I was renamed ca.crt to ca.crt.old and the ipa client
> successfully reconnected to new FreeIPA Server using dns discovery.
>
> Is it normal? And why the ipa-client-install --uninstall didn't
> completely remove the old ca.crt?
Hello,
ipa-client-install uninstall the CA certificate properly since FreeIPA 3.2.
This is the upstream ticket:
https://fedorahosted.org/freeipa/ticket/3537
CentOS/RHEL speaking, this should be thus fixed in 7.0+. In 6.x versions, you
need to delete the certificate manually if you reinstalled the IPA server.
HTH,
Martin
More information about the Freeipa-users
mailing list