[Freeipa-users] Reinstall ipa client, problem with old CA

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Tue May 19 13:21:10 UTC 2015 

Thank you Martin,

Yes, the IPA Server was built on CentOS 7.1. But, some client still
using CentOS 6.x, but I have plan upgrade them to 7.x.

Is it gave a problem if some client still on CentOS 6.x and the IPA
Server built on CentOS 7.x ?

On 05/19/2015 08:14 PM, Martin Kosek wrote:
> On 05/19/2015 10:53 AM, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> On 05/19/2015 12:53 PM, Martin Kosek wrote:
>>> On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote:
>>>> Hello!
>>>>
>>>> I'm trying to reinstall ipa client, but have a problem with old/existing
>>>> ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA
>>>> server still on development and always reinstalled, I need to reproduce
>>>> any possible problem/error on FreeIPA 4.x on CentOS 7.
>>>>
>>>> The error was :
>>>> LDAP Error: Connect error: TLS error -8054:You are attempting to import
>>>> a cert with the same issuer/serial as an existing cert, but that is not
>>>> the same cert.
>>>>
>>>> Currently, I was renamed ca.crt to ca.crt.old and the ipa client
>>>> successfully reconnected to new FreeIPA Server using dns discovery.
>>>>
>>>> Is it normal? And why the ipa-client-install --uninstall didn't
>>>> completely remove the old ca.crt?
>>>
>>> Hello,
>>>
>>> ipa-client-install uninstall the CA certificate properly since FreeIPA
>>> 3.2. This is the upstream ticket:
>>> https://fedorahosted.org/freeipa/ticket/3537
>>>
>>> CentOS/RHEL speaking, this should be thus fixed in 7.0+. In 6.x
>>> versions, you need to delete the certificate manually if you reinstalled
>>> the IPA server.
>>>
>>> HTH,
>>> Martin
>>
>> Could you gimme advice, which version is suitable on production? 3.x or
>> 4.x ?.Or is there any release timeline for FreeIPA version (like EOL, etc).
> 
> All versions in RHEL should be suitable for production - RHEL is an OS
> targeting production/stable environment.
> 
> For FreeIPA, I would recommend using environment built on top of RHEL-7.1
> version (FreeIPA 4.1) as it contains the most fixes and most functionality to
> be offered.
> 
> I would not recommend having mixed RHEL-6.x and RHEL-7.x as you you will have
> limited capabilities of your infrastructure as most of the new server features
> are not backported to RHEL-6.x and clients connected to these servers could not
> use them.
> 
> Martin
>

More information about the Freeipa-users mailing list