Thanks Flo for response. When I am using --pkinit-cert-file to provide rootca cert and key. Still not able to install replica.
# ipa-replica-install --pkinit-cert-file /root/rootCA.crt --pkinit-cert-file /root/rootCA.key --pkinit-pin amit --dirsrv-cert-file /root/dirsrv.crt --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit --http-cert-file /root/http.crt --http-cert-file /root/http.key --http-pin amit WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The full certificate chain is not present in /root/http.crt, /root/http.key ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information # On 02/19/2018 03:27 PM, Florence Blanc-Renaud wrote: > On 02/19/2018 08:28 AM, Amit via FreeIPA-devel wrote: >> Hello, >> >> In installed IPA Server successfully with following command: >> >> # ipa-server-install >> --ca-cert-file /root/ca-hierarchy/rootCA.crt >> --dirsrv-cert-file /root/ca-hierarchy/dirsrv.crt --dirsrv-cert-file >> /root/ca-hierarchy/dirsrv.key --dirsrv-pin amit >> --http-cert-file /root/ca-hierarchy/http.crt --http-cert-file >> /root/ca-hierarchy/http.key --http-pin amit >> --no-pkinit >> >> Now when I tried installing replica using this process: >> 1. scp http.key, http.crt, dirsrv.key, dirsrv.crt to replica >> 2. Made replica as IPA client: >> # vim /etc/hosts >> <ipa-server-ip> <ipa-server-domain> >> # ntpdate <ipa-ip-address> >> # ipa-client-install --domain <ipa-server-domain-name> --server >> <ipa-server-fdqn> >> # kinit admin >> # getent passwd admin; id admin; //Works >> >> 3. # ipa-replica-install --dirsrv-cert-file /root/dirsrv.crt >> --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit --http-cert-file >> /root/http.crt --http-cert-file /root/http.key --http-pin amit >> --no-pkinit >> WARNING: conflicting time&date synchronization service 'chronyd' will >> be disabled in favor of ntpd >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): >> ERROR The full certificate chain is not present in /root/http.crt, >> /root/http.key > Hi, > > you can use multiple times the --http-cert-file / --dirsrv-cert-file / > --pkinit-cert-file to also provide the root cert. > > The doc for replica installation without a CA states that there is no > need to add the --ca-cert-file option as ipa-replica-install should > use the CA info from the master, but it is inconsistent with the > current behavior. Either the doc or the code is wrong. > Could you please open an issue? > > Thanks, > Flo > > [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/creating-the-replica#replica-install-setup-ca-less > >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): >> ERROR The ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> [root@rhel7u4-7 site-packages]# >> >> >> Attached ipareplica-install.log >> >> >> Huge Thanks In Advance >> Amit >> >> >> >> _______________________________________________ >> FreeIPA-devel mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> > -- Thanks Amit Kumar !!If you stumble, get back up. What happened yesterday, no longer matters. Today is another day to move closer to your GOAL!! _______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
