[Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...
Zarko Dudic
zarko.dudic at oracle.com
Tue Aug 16 15:40:13 UTC 2016
Hi all,
I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with
External CA as the Root CA. Here are details.
1) Run "ipa-server-install --external-ca", and send .csr to be signed by
External CA, but VeriSign rejects signing this since info like
Organization, OU, L, ST, C are missing.
2) Okay, so I try this workaround, create cert request manually with
command:
# certutil -R -d /tmp -a -g 2048 -s
'CN=<fqdn>,OU=<some-ou>,O=<company>,L=<town>,ST=California,C=US'
3) I verify request via
https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp
(looks good)
4) Now VeriSign accepts .csr and I receive the certificate (.cer file)
via email.
5) I also download two additional certs for trust chain, one is
VeriSign's public primary root CA and the second one is Company's
itermediate CA, both (.pem files)
6) Now the problem begins, run the comamnd:
# ipa-server-install --external-cert-file=/tmp/freeipa.cer
--external-cert-file=/tmp/Company_CA_G2.pem
--external-cert-file=/tmp/VeriSign_Root_CA.pem -vv
One of screen messages are:
ipa : DEBUG stderr=
ipa : DEBUG Starting external process
ipa : DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmplsusxY'
'-M' '-n' 'CN=VeriSign Class 3 Public Primary Certification Authority -
G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign
Trust Network,O="VeriSign, Inc.",C=US' '-t' 'C,,'
ipa : DEBUG Process finished, return code=0
ipa : DEBUG stdout=
ipa : DEBUG stderr=
ipa.ipapython.install.cli.install_tool(Server): DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
line 311, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 279, in run
self.validate()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 288, in validate
for nothing in self._validator():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 517, in _configure
validator.next()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 343, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 421, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 418, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 365, in _handle_exception
util.raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
line 333, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 87, in run_generator_with_yield_from
raise_exc_info(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
line 65, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 63, in _install
for nothing in self._installer(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1612, in main
install_check(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 263, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 601, in install_check
ca.install_check(False, None, options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line
69, in install_check
options.external_cert_files, options.subject)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 1016, in load_external_cert
"IPA CA certificate not found in %s" % (", ".join(files)))
ipa.ipapython.install.cli.install_tool(Server): DEBUG The
ipa-server-install command failed, exception: ScriptError: IPA CA
certificate not found in /tmp/freeipa.cer, /tmp/Company_CA_G2.pem,
/tmp/VeriSign_Root_CA.pem
ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA
certificate not found in /tmp/freeipa.cer, /tmp/Company_CA_G2.pem,
/tmp/VeriSign_Root_CA.pem
Please let me know if any more info is needed, appreciate any help.
--
Thanks,
Zarko
More information about the Freeipa-users
mailing list