ipa-server-install asked me to get the csr signed and come back,
but then it refused to continue:

# ipa-server-install -n example.com -r EXAMPLE.COM --external-ca 
--subject="C=DE,O=example AG" --setup-dns --forwarder= 
The next step is to get /root/ipa.csr signed by your CA and re-run 
/usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate 

# /usr/sbin/ipa-server-install --external-cert-file=/root/ipa_ipa1.crt 
ipa.ipapython.install.cli.install_tool(Server): ERROR    IPA CA certificate not 
found in /root/ipa_ipa1.crt, /root/root-ca.crt

openssl verify shows the certificate is OK:

# openssl verify -CAfile /root/root-ca.crt /root/ipa_ipa1.crt
/root/ipa_ipa1.crt: OK
# openssl verify -CAfile /root/root-ca.crt /root/root-ca.crt
/root/root-ca.crt: OK

The CA attribute is set as well, pathlen=0, etc:

# openssl x509 -in /root/ipa_ipa1.crt -noout -text | less
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier:

Google hasn't seen this error before, either (AFAICS). Every helpful
hint is highly appreciated.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to