On 03/05/2021 08:50, Florence Renaud wrote:
Hi,
the issue looks similar to
https://pagure.io/freeipa/issue/8614
<https://pagure.io/freeipa/issue/8614>.
Did you try installation on a node which was previously
installed? There may be a remaining cert in
/etc/ipa/ca.crt or in the system-wide trust store (for
instance check in
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem). If the
previous installation had the same domain name, the CA
cert subject is the same and the installer tries to import
a CA cert similar to the previous one but generated with a
different key.
If that's the case you need to uninstall ipa with
ipa-server-install --uninstall -U, then delete
/etc/ipa/ca.crt and run update-ca-trust + ensure the CA
has been removed from /etc/pki/ca-trust.
flo
Yes, there was IPA deployed before on the box but also was
IPA uninstalled and uninstaller claimed it was successful.
Should that not be enough, uninstaller succeeding?
There was, certainly not consciously, no IPA's cert put into
system-wide store.
Cannot troubleshoot unfortunately as a clean-slate kvm vm
rollback was the quick "fix" I did.
On Sat, May 1, 2021 at 7:51 PM lejeczek via FreeIPA-users
<[email protected]
<mailto:[email protected]>> wrote:
Hi guys.
That is quite bizarre, don't you think? It's a first
master
installation.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] CalledProcessError: CalledProcessError(Command
['/usr/bin/certutil', '-d',
'sql:/etc/dirsrv/slapd-PRIV-COM/', '-A', '-n',
'PRIV.COM <http://PRIV.COM> IPA
CA', '-t', 'CT,C,C', '-a', '-f',
'/etc/dirsrv/slapd-PRIV-COM/pwdfile.txt'] returned
non-zero
exit status 255: 'certutil: could not decode certificate:
SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to
import a cert with the same issuer/serial as an existing
cert, but that is not the same cert.\n')
CalledProcessError(Command ['/usr/bin/certutil', '-d',
'sql:/etc/dirsrv/slapd-PRIV-COM/', '-A', '-n',
'PRIV.COM <http://PRIV.COM> IPA
CA', '-t', 'CT,C,C', '-a', '-f',
'/etc/dirsrv/slapd-PRIV-COM/pwdfile.txt'] returned
non-zero
exit status 255: 'certutil: could not decode certificate:
SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to
import a cert with the same issuer/serial as an existing
cert, but that is not the same cert.\n')
The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information
It's a new install, certainly there is no
'/etc/dirsrv/slapd-PRIV-COM' prior to install.
regards, L.
_______________________________________________
FreeIPA-users mailing list --
[email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
<https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
<https://fedoraproject.org/wiki/Mailing_list_guidelines>
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
<https://lists.fedorahosted.org/archives/list/[email protected]>
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
<https://pagure.io/fedora-infrastructure>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
