On 3/13/20 3:46 PM, Peter Tselios via FreeIPA-users wrote:
Hello,
I have a small project to install a FreeIPA cluster on CentOS 7.7.
We have our own CA and they provided me already with a private key and a
certificate file for the servers.
My problem is that I cannot make ipa-server to install
The command I use is:
==================================
ipa-server-install --realm "EXAMPLE.COM" -p 'mypassword' -a 'mypassword' \
--hostname="freeipam.example.com" -n example.com --ip-address="10.1.8.24" \
--dirsrv-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \
--dirsrv-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \
--dirsrv-pin='' \
--http-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \
--http-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \
--http-pin='' \
--pkinit-cert-file=/etc/pki/tls/certs/freeipam.example.com.crt \
--pkinit-cert-file=/etc/pki/tls/private/freeipam.example.com.pem \
--pkinit-pin='' \
--ca-cert-file=/etc/pki/ca-trust/source/anchors/Subordinate-CA.pem \
--ca-cert-file=/etc/pki/ca-trust/source/anchors/External-CA.pem \
--mkhomedir -N --no-host-dns --unattended
==================================
The problem is that I get this error:
-----------
The KDC certificate in /etc/pki/tls/certs/freeipam.example.com.crt,
/etc/pki/tls/private/freeipam.example.com.pem is not valid: invalid for a KDC
-----------
Then I read this: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html
and it was clear that I cannot use my certificates for the KDC in FreeIPA.
So, now the question is a bit different.
When I tried the above command without the pkinit certs lines, I got this error:
-----------
ipa-server-install: error: --dirsrv-cert-file, --http-cert-file, and
--pkinit-cert-file or --no-pkinit are required if any key file options are used.
-----------
This is in contrast with tthis document:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server#install-server-external-ca
where it's clear that I **CAN** specify just the LDAP and HTTP certificates!!!!
Hi,
As Leonid said, if you don't provide a certificate for PKinit, you need
to add the option --no-pkinit.
I agree that the doc is not properly explaining that, but it has been
enhanced in RHEL8 doc set:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-server-without-a-ca_installing-identity-management#certificates-required-to-install-ipa-server-no-ca_install-server-no-ca
You can open a documentation bug if you feel it should be fixed in RHEL7
doc set.
flo
How can I use my certificates for HTTP and LDAP but ask IPA to use it's
self-signed certificates for KDC?
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
