On 02/19/2018 08:28 AM, Amit via FreeIPA-devel wrote:
Hello,

In installed IPA Server successfully with following command:

# ipa-server-install
     --ca-cert-file /root/ca-hierarchy/rootCA.crt
     --dirsrv-cert-file /root/ca-hierarchy/dirsrv.crt --dirsrv-cert-file
/root/ca-hierarchy/dirsrv.key --dirsrv-pin amit
     --http-cert-file /root/ca-hierarchy/http.crt --http-cert-file
/root/ca-hierarchy/http.key  --http-pin amit
     --no-pkinit

Now when I tried installing replica using this process:
1. scp http.key, http.crt, dirsrv.key, dirsrv.crt to replica
2. Made replica as IPA client:
  # vim /etc/hosts
     <ipa-server-ip>   <ipa-server-domain>
# ntpdate <ipa-ip-address>
# ipa-client-install  --domain <ipa-server-domain-name>  --server
<ipa-server-fdqn>
# kinit admin
# getent passwd admin;    id admin;    //Works

3. # ipa-replica-install --dirsrv-cert-file /root/dirsrv.crt
--dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit --http-cert-file
/root/http.crt --http-cert-file /root/http.key --http-pin amit --no-pkinit
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR    The full certificate chain is not present in /root/http.crt,
/root/http.key
Hi,

you can use multiple times the --http-cert-file / --dirsrv-cert-file / --pkinit-cert-file to also provide the root cert.

The doc for replica installation without a CA states that there is no need to add the --ca-cert-file option as ipa-replica-install should use the CA info from the master, but it is inconsistent with the current behavior. Either the doc or the code is wrong.
Could you please open an issue?

Thanks,
Flo

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/creating-the-replica#replica-install-setup-ca-less

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR    The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
[root@rhel7u4-7 site-packages]#


Attached ipareplica-install.log


Huge Thanks In Advance
Amit



_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to