On Mon, May 3, 2021 at 1:30 PM lejeczek via FreeIPA-users < [email protected]> wrote:
> > > On 03/05/2021 08:50, Florence Renaud wrote: > > Hi, > > the issue looks similar to > > https://pagure.io/freeipa/issue/8614 > > <https://pagure.io/freeipa/issue/8614>. > > Did you try installation on a node which was previously > > installed? There may be a remaining cert in > > /etc/ipa/ca.crt or in the system-wide trust store (for > > instance check in > > /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem). If the > > previous installation had the same domain name, the CA > > cert subject is the same and the installer tries to import > > a CA cert similar to the previous one but generated with a > > different key. > > > > If that's the case you need to uninstall ipa with > > ipa-server-install --uninstall -U, then delete > > /etc/ipa/ca.crt and run update-ca-trust + ensure the CA > > has been removed from /etc/pki/ca-trust. > > flo > Yes, there was IPA deployed before on the box but also was > IPA uninstalled and uninstaller claimed it was successful. > Should that not be enough, uninstaller succeeding? > Yes, a successful uninstallation should have cleaned up the trust store, but bugs happen... flo There was, certainly not consciously, no IPA's cert put into > system-wide store. > Cannot troubleshoot unfortunately as a clean-slate kvm vm > rollback was the quick "fix" I did. > > > > > On Sat, May 1, 2021 at 7:51 PM lejeczek via FreeIPA-users > > <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hi guys. > > > > That is quite bizarre, don't you think? It's a first > > master > > installation. > > > > Configuring directory server (dirsrv) > > [1/3]: configuring TLS for DS instance > > [error] CalledProcessError: CalledProcessError(Command > > ['/usr/bin/certutil', '-d', > > 'sql:/etc/dirsrv/slapd-PRIV-COM/', '-A', '-n', > > 'PRIV.COM <http://PRIV.COM> IPA > > CA', '-t', 'CT,C,C', '-a', '-f', > > '/etc/dirsrv/slapd-PRIV-COM/pwdfile.txt'] returned > > non-zero > > exit status 255: 'certutil: could not decode certificate: > > SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to > > import a cert with the same issuer/serial as an existing > > cert, but that is not the same cert.\n') > > CalledProcessError(Command ['/usr/bin/certutil', '-d', > > 'sql:/etc/dirsrv/slapd-PRIV-COM/', '-A', '-n', > > 'PRIV.COM <http://PRIV.COM> IPA > > CA', '-t', 'CT,C,C', '-a', '-f', > > '/etc/dirsrv/slapd-PRIV-COM/pwdfile.txt'] returned > > non-zero > > exit status 255: 'certutil: could not decode certificate: > > SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to > > import a cert with the same issuer/serial as an existing > > cert, but that is not the same cert.\n') > > The ipa-server-install command failed. See > > /var/log/ipaserver-install.log for more information > > > > It's a new install, certainly there is no > > '/etc/dirsrv/slapd-PRIV-COM' prior to install. > > regards, L. > > _______________________________________________ > > FreeIPA-users mailing list -- > > [email protected] > > <mailto:[email protected]> > > To unsubscribe send an email to > > [email protected] > > <mailto:[email protected]> > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > <https://fedoraproject.org/wiki/Mailing_list_guidelines> > > List Archives: > > > https://lists.fedorahosted.org/archives/list/[email protected] > > < > https://lists.fedorahosted.org/archives/list/[email protected] > > > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > <https://pagure.io/fedora-infrastructure> > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
