Marco Pizzoli wrote:

On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden <
<>> wrote:

    Marco Pizzoli wrote:

        Hi guys,
        I'm running freeipa-server-2.1.4-5.fc16.__x86_64.

        Following the documentation I can see that to uninstall and
        reinstall a
        freeipa system it is sufficient to:

         > ipa-server-install <parameters>
         > ipa-server-install --uninstall
         > ipa-server-install <parameters>

        Well, when re-installing the system, I get this error on the
        done configuring named.
        Configuration of client side components failed!
        ipa-client-install returned: Command '/usr/sbin/ipa-client-install
        --on-master --unattended --domain
        <> --server
        <>> --realm UNIX.MYDOMAIN.IT
        <http://UNIX.MYDOMAIN.IT> --hostname
        <>>' returned non-zero exit
        status 1

        I had a look to /var/log/ipaclient-install.log and I saw these lines

        2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
        2012-02-14 09:53:39,435 DEBUG stdout=
        2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39--
        Connecting to

        HTTP request sent, awaiting response... 200 OK
        Length: 1325 (1.3K) [application/x-x509-ca-cert]
        Saving to: <E2><80><9C>/etc/ipa/ca.crt<__E2><80><9D>

              0K .
        100%  270M=0s

        2012-02-14 09:53:39 (270 MB/s) -
        saved [1325/1325]

        2012-02-14 09:53:39,436 DEBUG Backing up system configuration file
        2012-02-14 09:53:39,463 DEBUG Saving Index File to
        2012-02-14 09:53:39,540 DEBUG Domain
        <> is already configured in existing SSSD

        creating a new one.
        2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d
        /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
        2012-02-14 09:53:39,643 DEBUG stdout=
        2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain
        certificate from file: You are attempting to import a cert with
        the same
        issuer/serial as an existing cert, but that is not the same cert.

        So I tried a new "ipa-server-install --uninstall" and checked
        the file
        /etc/ipa/ca.crt. And it remained there.
        What is the problem?

    The problem isn't the existence of the file, it is the existence of
    the cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d

[root@freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/
certutil: could not find certificate named "IPA CA": security library:
bad database.

Well that's strange. Can you run: certutil -L -d /etc/pki/nssdb ?


Freeipa-users mailing list

Reply via email to