On 02/19/2018 11:28 AM, Amit via FreeIPA-devel wrote:
Thanks Flo for response.
When I am using --pkinit-cert-file to provide rootca cert and key. Still
not able to install replica.
# ipa-replica-install --pkinit-cert-file /root/rootCA.crt
--pkinit-cert-file /root/rootCA.key --pkinit-pin amit --dirsrv-cert-file
/root/dirsrv.crt --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit
--http-cert-file /root/http.crt --http-cert-file /root/http.key
--http-pin amit
Hi Amit,
the root CA needs to be provided for all the certs, i.e. in your case
you also have to supply --dirsrv-cert-file /root/rootCA.crt
--http-cert-file /root/rootCA.crt
Note: you do not need to supply the root CA key, you can remove
--pkinit-cert-file /root/rootCA.key
HTH,
Flo
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR The full certificate chain is not present in /root/http.crt,
/root/http.key
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
#
On 02/19/2018 03:27 PM, Florence Blanc-Renaud wrote:
On 02/19/2018 08:28 AM, Amit via FreeIPA-devel wrote:
Hello,
In installed IPA Server successfully with following command:
# ipa-server-install
--ca-cert-file /root/ca-hierarchy/rootCA.crt
--dirsrv-cert-file /root/ca-hierarchy/dirsrv.crt --dirsrv-cert-file
/root/ca-hierarchy/dirsrv.key --dirsrv-pin amit
--http-cert-file /root/ca-hierarchy/http.crt --http-cert-file
/root/ca-hierarchy/http.key --http-pin amit
--no-pkinit
Now when I tried installing replica using this process:
1. scp http.key, http.crt, dirsrv.key, dirsrv.crt to replica
2. Made replica as IPA client:
# vim /etc/hosts
<ipa-server-ip> <ipa-server-domain>
# ntpdate <ipa-ip-address>
# ipa-client-install --domain <ipa-server-domain-name> --server
<ipa-server-fdqn>
# kinit admin
# getent passwd admin; id admin; //Works
3. # ipa-replica-install --dirsrv-cert-file /root/dirsrv.crt
--dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit --http-cert-file
/root/http.crt --http-cert-file /root/http.key --http-pin amit
--no-pkinit
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR The full certificate chain is not present in /root/http.crt,
/root/http.key
Hi,
you can use multiple times the --http-cert-file / --dirsrv-cert-file /
--pkinit-cert-file to also provide the root cert.
The doc for replica installation without a CA states that there is no
need to add the --ca-cert-file option as ipa-replica-install should
use the CA info from the master, but it is inconsistent with the
current behavior. Either the doc or the code is wrong.
Could you please open an issue?
Thanks,
Flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/creating-the-replica#replica-install-setup-ca-less
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
[root@rhel7u4-7 site-packages]#
Attached ipareplica-install.log
Huge Thanks In Advance
Amit
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-devel-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
