Jeff B wrote:
I'm trying to do an ipa-server-install with an --external-ca but after
it generates the .csr and I sign a .crt I can't run the followup
ips-server-install to import the certificate.

I don't think I'm supposed to run an --uninstall between  the
--external-ca and the --external_cert_file installations but I'm not

Here is what I'm getting:

[root@ipa0 ~]# ipa-server-install --setup-dns --forwarder="" -U -p xxxxxxxx -a xxxxxxxx -u dirsrv -r MYREALM.COM

The log file for this installation can be found in
This program will set up the FreeIPA Server.

This includes:
   * Configure the Network Time Daemon (ntpd)
   * Create and configure an instance of Directory Server
   * Create and configure a Kerberos Key Distribution Center (KDC)
   * Configure Apache (httpd)
   * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: Hostname ( not found in DNS
The domain name has been calculated based on the host name.

The IPA Master Server will be configured with
IP address:
Domain name:

Configuring ntpd
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
   [1/3]: creating directory server user
   [2/3]: creating directory server instance
   [3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 6 minutes
   [1/4]: creating certificate server user
   [2/4]: creating pki-ca instance
   [3/4]: restarting certificate server
   [4/4]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run
ipa-server-install as:
ipa-server-install --external_cert_file=/path/to/signed_certificate

... Signed the Certificate ...

[root@ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt

The log file for this installation can be found in
IPA server is already configured on this system.

[root@ipa0 ~]# cat /var/log/ipaserver-install.log
2011-01-24 11:36:14,214 DEBUG Loading StateFile from
2011-01-24 11:36:14,309 DEBUG Loading Index file from
2011-01-24 11:36:14,336 DEBUG Loading StateFile from

Looks like a bug. You should be able to work around it by commenting out these lines in /usr/sbin/ipa-server-install:

if dsinstance.DsInstance().is_configured() or cainstance.CADSInstance().is_configured():
            sys.exit("IPA server is already configured on this system.")

The python comment is a hash (#).

I opened ticket to track this.


Freeipa-devel mailing list

Reply via email to