I was able to solve this by recreating my test CA. I believe the problem was with non-matching Organisation between the CSR and CA - but I dont have the knowledge to know if this is really required.
Anyhow, things work, despite not having removed the "-----BEGIN CERTIFICATE-----" lines this time around. Thanks for the help and sorry for wasting your time! -- William Leese Production Engineer, Operations, Asia Pacific Meltwater Group m: +81 80 4946 0329 skype: william.leese1 w: meltwater.com This email and any attachment(s) is intended for and confidential to the addressee. If you are neither the addressee nor an authorized recipient for the addressee, please notify us of receipt, delete this message from your system and do not use, copy or disseminate the information in, or attached to it, in any way. Our messages are checked for viruses but please note that we do not accept liability for any viruses which may be transmitted in or with this message. On Thu, Nov 7, 2013 at 8:36 PM, Petr Viktorin <pvikt...@redhat.com> wrote: > On 11/07/2013 08:34 AM, William Leese wrote: > >> >> [root@vagrant-centos-6 CA]# cat /root/server.pem >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 2 (0x2) >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops, >> CN=vagrant.localdomain/__emailAddress=t...@t.com <mailto:t...@t.com> >> <mailto:t...@t.com <mailto:t...@t.com>> >> >> >> Validity >> Not Before: Nov 6 05:12:09 2013 GMT >> Not After : Nov 6 05:12:09 2014 GMT >> Subject: O=MELTWATER.COM <http://MELTWATER.COM> >> <http://MELTWATER.COM>, CN=Certificate >> >> Authority >> [snip] >> -----BEGIN CERTIFICATE----- >> MIIDfDCCAmSgAwIBAgIBAjANBgkqhk__iG9w0BAQUFADB5MQswCQYDVQQGEwJK >> __UDEL >> MAkGA1UECAwCVEsxDDAKBgNVBAcMA1__RLSzELMAkGA1UECgwCTVcxDDAKBgNV >> __BAsM >> A29wczEcMBoGA1UEAwwTdmFncmFudC__5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3 >> __DQEJ >> >> [snip] >> >> >> Try removing everything before the -----BEGIN CERTIFICATE----- line >> from the PEM. >> >> Well that was unexpected: removing the BEGIN Certificate / End lines now >> makes the install proceed up until: >> >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> The PKCS#10 certificate is not signed by the external CA (unknown issuer >> E=x...@x.com <mailto:x...@x.com>,CN=vagrant-centos-6,OU=JP,O=JP,L=JP,ST= >> JP,C=JP). >> > > Can you please post more (all) of /var/lig/ipaserver-install.log? We need > to know where exactly the issue is occuring and what the traceback is. > > > Do I need to do anything to make my freshly created internal CA trusted >> for the installation? I've tried the usual magic in /etc/pki/tls/certs, >> but to no avail. >> > > No, --external_ca_file should have been enough. > > -- > Petrł >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users