I was able to solve this by recreating my test CA. I believe the problem
was with non-matching Organisation between the CSR and CA - but I dont have
the knowledge to know if this is really required.

Anyhow, things work, despite not having removed the "-----BEGIN
CERTIFICATE-----" lines this time around.

Thanks for the help and sorry for wasting your time!

William Leese
Production Engineer,
Operations, Asia Pacific
Meltwater Group
m: +81 80 4946 0329
skype: william.leese1
w: meltwater.com

This email and any attachment(s) is intended for and confidential to the
addressee. If you are neither the addressee nor an authorized recipient for
the addressee, please notify us of receipt, delete this message from your
system and do not use, copy or disseminate the information in, or attached
to it, in any way. Our messages are checked for viruses but please note
that we do not accept liability for any viruses which may be transmitted in
or with this message.

On Thu, Nov 7, 2013 at 8:36 PM, Petr Viktorin <pvikt...@redhat.com> wrote:

> On 11/07/2013 08:34 AM, William Leese wrote:
>>         [root@vagrant-centos-6 CA]# cat /root/server.pem
>>         Certificate:
>>               Data:
>>                   Version: 3 (0x2)
>>                   Serial Number: 2 (0x2)
>>                   Signature Algorithm: sha1WithRSAEncryption
>>                   Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
>>         CN=vagrant.localdomain/__emailAddress=t...@t.com <mailto:t...@t.com>
>>         <mailto:t...@t.com <mailto:t...@t.com>>
>>                   Validity
>>                       Not Before: Nov  6 05:12:09 2013 GMT
>>                       Not After : Nov  6 05:12:09 2014 GMT
>>                   Subject: O=MELTWATER.COM <http://MELTWATER.COM>
>>         <http://MELTWATER.COM>, CN=Certificate
>>         Authority
>>         [snip]
>>         -----BEGIN CERTIFICATE-----
>> __UDEL
>> __BAsM
>>         A29wczEcMBoGA1UEAwwTdmFncmFudC__5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3
>> __DQEJ
>>         [snip]
>>     Try removing everything before the -----BEGIN CERTIFICATE----- line
>>     from the PEM.
>> Well that was unexpected: removing the BEGIN Certificate / End lines now
>> makes the install proceed up until:
>> The log file for this installation can be found in
>> /var/log/ipaserver-install.log
>> The PKCS#10 certificate is not signed by the external CA (unknown issuer
>> E=x...@x.com <mailto:x...@x.com>,CN=vagrant-centos-6,OU=JP,O=JP,L=JP,ST=
>> JP,C=JP).
> Can you please post more (all) of /var/lig/ipaserver-install.log? We need
> to know where exactly the issue is occuring and what the traceback is.
>  Do I need to do anything to make my freshly created internal CA trusted
>> for the installation? I've tried the usual magic in /etc/pki/tls/certs,
>> but to no avail.
> No, --external_ca_file should have been enough.
> --
> Petrł
Freeipa-users mailing list

Reply via email to