On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote:

I'm trying to reinstall ipa client, but have a problem with old/existing
ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA
server still on development and always reinstalled, I need to reproduce
any possible problem/error on FreeIPA 4.x on CentOS 7.

The error was :
LDAP Error: Connect error: TLS error -8054:You are attempting to import
a cert with the same issuer/serial as an existing cert, but that is not
the same cert.

Currently, I was renamed ca.crt to ca.crt.old and the ipa client
successfully reconnected to new FreeIPA Server using dns discovery.

Is it normal? And why the ipa-client-install --uninstall didn't
completely remove the old ca.crt?


ipa-client-install uninstall the CA certificate properly since FreeIPA 3.2. This is the upstream ticket:

CentOS/RHEL speaking, this should be thus fixed in 7.0+. In 6.x versions, you need to delete the certificate manually if you reinstalled the IPA server.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to