Now I am getting this Error: # ipa-replica-install --dirsrv-cert-file /root/rootCA.crt --dirsrv-cert-file /root/dirsrv.crt --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit --http-cert-file /root/rootCA.crt --http-cert-file /root/http.crt --http-cert-file /root/http.key --http-pin amit --no-pkinit WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The server certificate in /root/rootCA.crt, /root/http.crt, /root/http.key is not valid: invalid for server rhel7u4-7.gsslab.pnq2.redhat.com ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@rhel7u4-7 ~]# openssl verify -CAfile rootCA.crt dirsrv.crt dirsrv.crt: OK [root@rhel7u4-7 ~]# openssl verify -CAfile rootCA.crt http.crt http.crt: OK [root@rhel7u4-7 ~]# CN=<hostname-of-ipa-master-server> in http.crt. Attached rootCA.crt, http.crt On 02/19/2018 06:05 PM, Florence Blanc-Renaud wrote: > On 02/19/2018 11:28 AM, Amit via FreeIPA-devel wrote: >> Thanks Flo for response. >> >> When I am using --pkinit-cert-file to provide rootca cert and key. Still >> not able to install replica. >> >> # ipa-replica-install --pkinit-cert-file /root/rootCA.crt >> --pkinit-cert-file /root/rootCA.key --pkinit-pin amit --dirsrv-cert-file >> /root/dirsrv.crt --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit >> --http-cert-file /root/http.crt --http-cert-file /root/http.key >> --http-pin amit > > Hi Amit, > > the root CA needs to be provided for all the certs, i.e. in your case > you also have to supply --dirsrv-cert-file /root/rootCA.crt > --http-cert-file /root/rootCA.crt > > Note: you do not need to supply the root CA key, you can remove > --pkinit-cert-file /root/rootCA.key > > HTH, > Flo > >> WARNING: conflicting time&date synchronization service 'chronyd' will >> be disabled in favor of ntpd >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): >> ERROR The full certificate chain is not present in /root/http.crt, >> /root/http.key >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): >> ERROR The ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> # >> >> >> On 02/19/2018 03:27 PM, Florence Blanc-Renaud wrote: >>> On 02/19/2018 08:28 AM, Amit via FreeIPA-devel wrote: >>>> Hello, >>>> >>>> In installed IPA Server successfully with following command: >>>> >>>> # ipa-server-install >>>> --ca-cert-file /root/ca-hierarchy/rootCA.crt >>>> --dirsrv-cert-file /root/ca-hierarchy/dirsrv.crt >>>> --dirsrv-cert-file >>>> /root/ca-hierarchy/dirsrv.key --dirsrv-pin amit >>>> --http-cert-file /root/ca-hierarchy/http.crt --http-cert-file >>>> /root/ca-hierarchy/http.key --http-pin amit >>>> --no-pkinit >>>> >>>> Now when I tried installing replica using this process: >>>> 1. scp http.key, http.crt, dirsrv.key, dirsrv.crt to replica >>>> 2. Made replica as IPA client: >>>> # vim /etc/hosts >>>> <ipa-server-ip> <ipa-server-domain> >>>> # ntpdate <ipa-ip-address> >>>> # ipa-client-install --domain <ipa-server-domain-name> --server >>>> <ipa-server-fdqn> >>>> # kinit admin >>>> # getent passwd admin; id admin; //Works >>>> >>>> 3. # ipa-replica-install --dirsrv-cert-file /root/dirsrv.crt >>>> --dirsrv-cert-file /root/dirsrv.key --dirsrv-pin amit --http-cert-file >>>> /root/http.crt --http-cert-file /root/http.key --http-pin amit >>>> --no-pkinit >>>> WARNING: conflicting time&date synchronization service 'chronyd' will >>>> be disabled in favor of ntpd >>>> >>>> Your system may be partly configured. >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): >>>> ERROR The full certificate chain is not present in /root/http.crt, >>>> /root/http.key >>> Hi, >>> >>> you can use multiple times the --http-cert-file / --dirsrv-cert-file / >>> --pkinit-cert-file to also provide the root cert. >>> >>> The doc for replica installation without a CA states that there is no >>> need to add the --ca-cert-file option as ipa-replica-install should >>> use the CA info from the master, but it is inconsistent with the >>> current behavior. Either the doc or the code is wrong. >>> Could you please open an issue? >>> >>> Thanks, >>> Flo >>> >>> [1] >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/creating-the-replica#replica-install-setup-ca-less >>> >>> >>>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): >>>> ERROR The ipa-replica-install command failed. See >>>> /var/log/ipareplica-install.log for more information >>>> [root@rhel7u4-7 site-packages]# >>>> >>>> >>>> Attached ipareplica-install.log >>>> >>>> >>>> Huge Thanks In Advance >>>> Amit >>>> >>>> >>>> >>>> _______________________________________________ >>>> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org >>>> To unsubscribe send an email to >>>> freeipa-devel-le...@lists.fedorahosted.org >>>> >>> >> > -- Thanks Amit Kumar !!If you stumble, get back up. What happened yesterday, no longer matters. Today is another day to move closer to your GOAL!!
rootCA.crt
Description: application/pkix-cert
http.crt
Description: application/pkix-cert
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
