Jan Cholasta wrote:
> On 2.7.2014 19:37, Jan Cholasta wrote:
>> On 2.7.2014 19:08, Rob Crittenden wrote:
>>> Trimming to respond to your questions.
>>>>> Not sure if this is related:
>>>>> # pki cert-find
>>>>> PKIException: Internal Server Error
>>> I'm pretty sure the cert-find error is related to the fact that I had a
>>> test build of dogtag installed, so that can be ignored.
>> It does not work for me as well, with the current F20 dogtag packages,
>> but like I said, it worked some time ago.
> Still haven't figured this out, unfortunately.
> Added patches 304 and 305 to fix /etc/ipa/ca.crt not having all the CA
> certificates on master.
> Updated rebased patches attached. The correct order to apply is 295-294,
> 303-305, 295-299.
251 I'm a little confused about the profile names. I see you changed the
renewal profile from ipaCACertRenewal to caCACert which I guess makes
sense. I don't see a ipaCACertRenewal profile. There is still a
reference to a ipaRetrieval profile, what is that?
ACK to the changes in 291
299 I guess you added the check for existing certs to avoid conflicts? I
guess it means that a user is hosed if they chose the same name for
their CA that we use? I think you're missing a sys.exit(1) here.
303 Looks good. The man page is still a little thin
304 Not to be too pedantic but if removing the old CACERT fails
(SELinux, immutable file) then the install will blow up and this is the
very end. I think the removal should happen earlier, before anything
else happens. That way at least you don't wait 10 minuts to find out the
I didn't have a ton of time to test but a basic install fails with:
2014-07-03T21:44:49Z DEBUG stderr=
2014-07-03T21:44:49Z DEBUG File
line 640, in run_script
return_value = main_function()
File "/usr/sbin/ipa-server-install", line 1046, in main
489, in configure_instance
line 382, in start_creation
1041, in __import_ca_chain
(rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
line 79, in get_cert_nickname
nsscert = x509.load_certificate(cert)
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in
2014-07-03T21:44:49Z DEBUG The ipa-server-install command failed,
exception: NSPRError: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are
attempting to import a cert with the same issuer/serial as an existing
cert, but that is not the same cert.
Freeipa-devel mailing list