ipa-server-install asked me to get the csr signed and come back, but then it refused to continue:
# ipa-server-install -n example.com -r EXAMPLE.COM --external-ca --subject="C=DE,O=example AG" --setup-dns --forwarder=8.8.4.4 --forwarder=8.8.8.8 : : The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as: /usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate # /usr/sbin/ipa-server-install --external-cert-file=/root/ipa_ipa1.crt --external-cert-file=/root/root-ca.crt : : ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA certificate not found in /root/ipa_ipa1.crt, /root/root-ca.crt openssl verify shows the certificate is OK: # openssl verify -CAfile /root/root-ca.crt /root/ipa_ipa1.crt /root/ipa_ipa1.crt: OK # openssl verify -CAfile /root/root-ca.crt /root/root-ca.crt /root/root-ca.crt: OK The CA attribute is set as well, pathlen=0, etc: # openssl x509 -in /root/ipa_ipa1.crt -noout -text | less : : X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Subject Key Identifier: : Google hasn't seen this error before, either (AFAICS). Every helpful hint is highly appreciated. Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project