[Freeipa-users] Reinstall ipa client, problem with old CA
Dewangga Bachrul Alam
dewanggaba at xtremenitro.org
Tue May 19 08:53:55 UTC 2015
Hello!
On 05/19/2015 12:53 PM, Martin Kosek wrote:
> On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> I'm trying to reinstall ipa client, but have a problem with old/existing
>> ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA
>> server still on development and always reinstalled, I need to reproduce
>> any possible problem/error on FreeIPA 4.x on CentOS 7.
>>
>> The error was :
>> LDAP Error: Connect error: TLS error -8054:You are attempting to import
>> a cert with the same issuer/serial as an existing cert, but that is not
>> the same cert.
>>
>> Currently, I was renamed ca.crt to ca.crt.old and the ipa client
>> successfully reconnected to new FreeIPA Server using dns discovery.
>>
>> Is it normal? And why the ipa-client-install --uninstall didn't
>> completely remove the old ca.crt?
>
> Hello,
>
> ipa-client-install uninstall the CA certificate properly since FreeIPA
> 3.2. This is the upstream ticket:
> https://fedorahosted.org/freeipa/ticket/3537
>
> CentOS/RHEL speaking, this should be thus fixed in 7.0+. In 6.x
> versions, you need to delete the certificate manually if you reinstalled
> the IPA server.
>
> HTH,
> Martin
Could you gimme advice, which version is suitable on production? 3.x or
4.x ?.Or is there any release timeline for FreeIPA version (like EOL, etc).
More information about the Freeipa-users
mailing list