ipa-server-install asked me to get the csr signed and come back,
but then it refused to continue:
# ipa-server-install -n example.com -r EXAMPLE.COM --external-ca
--subject="C=DE,O=example AG" --setup-dns --forwarder=8.8.4.4
--forwarder=8.8.8.8
:
:
The next step is to get /root/ipa.csr signed by your CA and re-run
/usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate
--external-cert-file=/path/to/external_ca_certificate
# /usr/sbin/ipa-server-install --external-cert-file=/root/ipa_ipa1.crt
--external-cert-file=/root/root-ca.crt
:
:
ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA certificate not
found in /root/ipa_ipa1.crt, /root/root-ca.crt
openssl verify shows the certificate is OK:
# openssl verify -CAfile /root/root-ca.crt /root/ipa_ipa1.crt
/root/ipa_ipa1.crt: OK
# openssl verify -CAfile /root/root-ca.crt /root/root-ca.crt
/root/root-ca.crt: OK
The CA attribute is set as well, pathlen=0, etc:
# openssl x509 -in /root/ipa_ipa1.crt -noout -text | less
:
:
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
:
Google hasn't seen this error before, either (AFAICS). Every helpful
hint is highly appreciated.
Harri
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
