Marco Pizzoli wrote:


On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Marco Pizzoli wrote:

        Hi guys,
        I'm running freeipa-server-2.1.4-5.fc16.__x86_64.

        Following the documentation I can see that to uninstall and
        reinstall a
        freeipa system it is sufficient to:

         > ipa-server-install <parameters>
         > ipa-server-install --uninstall
         > ipa-server-install <parameters>

        Well, when re-installing the system, I get this error on the
        console:
        [cut]
        done configuring named.
        Configuration of client side components failed!
        ipa-client-install returned: Command '/usr/sbin/ipa-client-install
        --on-master --unattended --domain unix.mydomain.it
        <http://unix.mydomain.it>
        <http://unix.mydomain.it> --server freeipa01.unix.mydomain.it
        <http://freeipa01.unix.mydomain.it>
        <http://freeipa01.unix.__mydomain.it
        <http://freeipa01.unix.mydomain.it>> --realm UNIX.MYDOMAIN.IT
        <http://UNIX.MYDOMAIN.IT>
        <http://UNIX.MYDOMAIN.IT> --hostname freeipa01.unix.mydomain.it
        <http://freeipa01.unix.mydomain.it>
        <http://freeipa01.unix.__mydomain.it
        <http://freeipa01.unix.mydomain.it>>' returned non-zero exit
        status 1


        I had a look to /var/log/ipaclient-install.log and I saw these lines

        [cut]
        2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
        http://freeipa01.unix.__mydomain.it/ipa/config/ca.crt
        <http://freeipa01.unix.mydomain.it/ipa/config/ca.crt>
        2012-02-14 09:53:39,435 DEBUG stdout=
        2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39--
        http://freeipa01.unix.__mydomain.it/ipa/config/ca.crt
        <http://freeipa01.unix.mydomain.it/ipa/config/ca.crt>
        Resolving freeipa01.unix.mydomain.it... 192.168.146.131
        Connecting to freeipa01.unix.mydomain.it
        <http://freeipa01.unix.mydomain.it>
        <http://freeipa01.unix.__mydomain.it
        <http://freeipa01.unix.mydomain.it>>|192.168.146.131|:__80...
        connected.

        HTTP request sent, awaiting response... 200 OK
        Length: 1325 (1.3K) [application/x-x509-ca-cert]
        Saving to: <E2><80><9C>/etc/ipa/ca.crt<__E2><80><9D>

              0K .
        100%  270M=0s

        2012-02-14 09:53:39 (270 MB/s) -
        <E2><80><9C>/etc/ipa/ca.crt<__E2><80><9D>
        saved [1325/1325]


        2012-02-14 09:53:39,436 DEBUG Backing up system configuration file
        '/etc/sssd/sssd.conf'
        2012-02-14 09:53:39,463 DEBUG Saving Index File to
        '/var/lib/ipa-client/__sysrestore/sysrestore.index'
        2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it
        <http://unix.csebo.it>
        <http://unix.csebo.it> is already configured in existing SSSD
        config,

        creating a new one.
        2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d
        /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
        2012-02-14 09:53:39,643 DEBUG stdout=
        2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain
        certificate from file: You are attempting to import a cert with
        the same
        issuer/serial as an existing cert, but that is not the same cert.


        So I tried a new "ipa-server-install --uninstall" and checked
        the file
        /etc/ipa/ca.crt. And it remained there.
        What is the problem?


    The problem isn't the existence of the file, it is the existence of
    the cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d
    /etc/pki/nsdb


[root@freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/
certutil: could not find certificate named "IPA CA": security library:
bad database.

Well that's strange. Can you run: certutil -L -d /etc/pki/nssdb ?

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to