Thanks Flo for response.

When I am using --pkinit-cert-file to provide rootca cert and key. Still
not able to install replica.

# ipa-replica-install --pkinit-cert-file /root/rootCA.crt
--pkinit-cert-file /root/rootCA.key --pkinit-pin amit --dirsrv-cert-file
/root/dirsrv.crt --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit
--http-cert-file /root/http.crt --http-cert-file /root/http.key
--http-pin amit
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR    The full certificate chain is not present in /root/http.crt,
/root/http.key
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR    The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
#


On 02/19/2018 03:27 PM, Florence Blanc-Renaud wrote:
> On 02/19/2018 08:28 AM, Amit via FreeIPA-devel wrote:
>> Hello,
>>
>> In installed IPA Server successfully with following command:
>>
>> # ipa-server-install
>>      --ca-cert-file /root/ca-hierarchy/rootCA.crt
>>      --dirsrv-cert-file /root/ca-hierarchy/dirsrv.crt --dirsrv-cert-file
>> /root/ca-hierarchy/dirsrv.key --dirsrv-pin amit
>>      --http-cert-file /root/ca-hierarchy/http.crt --http-cert-file
>> /root/ca-hierarchy/http.key  --http-pin amit
>>      --no-pkinit
>>
>> Now when I tried installing replica using this process:
>> 1. scp http.key, http.crt, dirsrv.key, dirsrv.crt to replica
>> 2. Made replica as IPA client:
>>   # vim /etc/hosts
>>      <ipa-server-ip>   <ipa-server-domain>
>> # ntpdate <ipa-ip-address>
>> # ipa-client-install  --domain <ipa-server-domain-name>  --server
>> <ipa-server-fdqn>
>> # kinit admin
>> # getent passwd admin;    id admin;    //Works
>>
>> 3. # ipa-replica-install --dirsrv-cert-file /root/dirsrv.crt
>> --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit --http-cert-file
>> /root/http.crt --http-cert-file /root/http.key --http-pin amit
>> --no-pkinit
>> WARNING: conflicting time&date synchronization service 'chronyd' will
>> be disabled in favor of ntpd
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERROR    The full certificate chain is not present in /root/http.crt,
>> /root/http.key
> Hi,
>
> you can use multiple times the --http-cert-file / --dirsrv-cert-file /
> --pkinit-cert-file to also provide the root cert.
>
> The doc for replica installation without a CA states that there is no
> need to add the --ca-cert-file option as ipa-replica-install should
> use the CA info from the master, but it is inconsistent with the
> current behavior. Either the doc or the code is wrong.
> Could you please open an issue?
>
> Thanks,
> Flo
>
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/creating-the-replica#replica-install-setup-ca-less
>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERROR    The ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>> [root@rhel7u4-7 site-packages]#
>>
>>
>> Attached ipareplica-install.log
>>
>>
>> Huge Thanks In Advance
>> Amit
>>
>>
>>
>> _______________________________________________
>> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-devel-le...@lists.fedorahosted.org
>>
>

-- 
Thanks
Amit Kumar
!!If you stumble, get back up. 
What happened yesterday, no longer matters.
Today is another day to move closer to your GOAL!!
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to