Nathaniel McCallum wrote:
When installing beta1, I encountered a bug where the CA install would
fail. This may have already been fixed in dogtag or elsewhere, but if
not, this patch WorksForMe. I have no idea if it is the "right" fix.

Good catch. This change apparently was added during the last week of 10.0.2 development and I'm not sure how I missed it. I did at least one successful install using those bits. Maybe either my test was bogus or I had left-over kruft.

In any case, we can specify the location directly to pkispawn and not have to move the file.

>From a1bfb95064f3242af5a71cea27a783e57e08c3ab Mon Sep 17 00:00:00 2001
From: Rob Crittenden <>
Date: Thu, 2 May 2013 13:47:06 -0400
Subject: [PATCH] Specify the location for the agent PKCS#12 file so we don't
 have to move it.

Dogtag 10.0.2 changed the default location for this file from /root/.pki
to /root/.dogtag which broke our install.
 ipaserver/install/ | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ipaserver/install/ b/ipaserver/install/
index 2bb6cb4e3ccbe98f1967a63b0b4dd3ea7df7c37d..5669ebecb810ae0ff4f264725de3d67d54584e49 100644
--- a/ipaserver/install/
+++ b/ipaserver/install/
@@ -655,6 +655,7 @@ class CAInstance(service.Service):
         config.set("CA", "pki_admin_nickname", "ipa-ca-agent")
         config.set("CA", "pki_admin_subject_dn",
             str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
+        config.set("CA", "pki_client_admin_cert_p12", "/root/ca-agent.p12")
         # Directory server
         config.set("CA", "pki_ds_ldap_port", str(self.ds_port))
@@ -741,9 +742,6 @@ class CAInstance(service.Service):
             print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
-            if not self.clone:
-                shutil.move("/root/.pki/pki-tomcat/ca_admin_cert.p12", \
-                            "/root/ca-agent.p12")
             shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \

Freeipa-devel mailing list

Reply via email to