Here is the snippet with the error:
2015-01-07T14:04:57Z DEBUG Adding CA certificates to the IPA NSS database.
2015-01-07T14:04:57Z DEBUG Starting external process
2015-01-07T14:04:57Z DEBUG args='/usr/bin/certutil' '-d'
'/etc/ipa/nssdb' '-A' '-n' 'ANOTHER.COM IPA CA' '-t' 'CT,C,C'
2015-01-07T14:04:57Z DEBUG Process finished, return code=0
2015-01-07T14:04:57Z DEBUG stdout=
2015-01-07T14:04:57Z DEBUG stderr=
2015-01-07T14:04:57Z DEBUG Starting external process
2015-01-07T14:04:57Z DEBUG args='/usr/bin/update-ca-trust'
2015-01-07T14:04:58Z DEBUG Process finished, return code=1
2015-01-07T14:04:58Z DEBUG stdout=
2015-01-07T14:04:58Z DEBUG stderr=p11-kit: ipa.p11-kit:
x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or
unrecognizable
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
p11-kit: failed to find certificates: The device is invalid or
unrecognizable
2015-01-07T14:04:58Z ERROR Could not update systemwide CA trust
database: Command ''/usr/bin/update-ca-trust'' returned non-zero exit
status 1
2015-01-07T14:04:58Z DEBUG Attempting to add CA certificates to the
default NSS database.
2015-01-07T14:04:58Z DEBUG Starting external process
2015-01-07T14:04:58Z DEBUG args='/usr/bin/certutil' '-d'
'/etc/pki/nssdb' '-A' '-n' 'ANOTHER.COM IPA CA' '-t' 'CT,C,C'
2015-01-07T14:04:58Z DEBUG Process finished, return code=255
2015-01-07T14:04:58Z DEBUG stdout=
2015-01-07T14:04:58Z DEBUG stderr=certutil: could not decode
certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to
import a cert with the same issuer/serial as an existing cert, but that
is not the same cert.
2015-01-07T14:04:58Z ERROR Failed to add ANOTHER.COM IPA CA to the
default NSS database.
2015-01-07T14:04:58Z WARNING Installation failed. As this is IPA server,
changes will not be rolled back.
On 1/7/15 7:19 AM, Martin Kosek wrote:
On 01/07/2015 02:51 PM, Janelle wrote:
Hello fellow IPAers
I know this has been written about before - the python scripts and
fedora-domain vs rhel-domain on RHEL/CentOs 7. The question is - was there a
permanent fix yet? I continue to run into it during installs and have to edit
python files to get the client install to not error out duruing the server
install. This is of course with CentOS 7 and IPA 4.1.2.
Any options/comments?
Thank you
Janelle
--------------------------------
(install snippet)
Done.
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Sample zone file for bind has been created in /tmp/sample.zone.vTMlCB.db
Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--on-master' '--unattended' '--domain' 'another.com' '--server'
'ipa1.another.com' '--realm' 'ANOTHER.COM' '--hostname' 'ipa1.another.com''
returned non-zero exit status 1
Hi Janelle,
Yes, this should have been resolved in
https://fedorahosted.org/freeipa/ticket/4562
CCing Jan.
Are you sure it is caused by this problem? Can you add a snippet of the
ipaclient-install.log with the actual failures? Your install snippet does not
help that much.
Can you please also check that you have the right FreeIPA platform file loaded?
At least giving us output from this grep should help:
$ grep domainname /usr/lib/python2.7/site-packages/ipaplatform/services.py
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
