Peter Tselios via FreeIPA-users wrote: > Hello, > I have a small project to install a FreeIPA cluster on CentOS 7.7. > > We have our own CA and they provided me already with a private key and a > certificate file for the servers. > My problem is that I cannot make ipa-server to install > > The command I use is: > > ================================== > ipa-server-install --realm "EXAMPLE.COM" -p 'mypassword' -a 'mypassword' \ > --hostname="freeipam.example.com" -n example.com --ip-address="10.1.8.24" > \ > --dirsrv-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \ > --dirsrv-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \ > --dirsrv-pin='' \ > --http-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \ > --http-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \ > --http-pin='' \ > --pkinit-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \ > --pkinit-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \ > --pkinit-pin='' \ > --ca-cert-file=/etc/pki/ca-trust/source/anchors/Subordinate-CA.pem \ > --ca-cert-file=/etc/pki/ca-trust/source/anchors/External-CA.pem \ > --mkhomedir -N --no-host-dns --unattended > > ================================== > > The problem is that I get this error: > > ----------- > The KDC certificate in /etc/pki/tls/certs/freeipam.example.com.crt, > /etc/pki/tls/private/freeipam.example.com.pem is not valid: invalid for a KDC > ----------- > > Then I read this: > https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html and it was clear > that I cannot use my certificates for the KDC in FreeIPA. > So, now the question is a bit different. > When I tried the above command without the pkinit certs lines, I got this > error: > > ----------- > ipa-server-install: error: --dirsrv-cert-file, --http-cert-file, and > --pkinit-cert-file or --no-pkinit are required if any key file options are > used. > ----------- > > This is in contrast with tthis document: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server#install-server-external-ca > > where it's clear that I **CAN** specify just the LDAP and HTTP > certificates!!!! > > How can I use my certificates for HTTP and LDAP but ask IPA to use it's > self-signed certificates for KDC?
You can't. Installing with no CA == no way to issue certs. You have to provide it yourself. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
