Re: [Freeipa-users] Problem in ipa-server-install -> uninstall -> install

Wed, 15 Feb 2012 09:44:14 -0800 

On Tue, Feb 14, 2012 at 8:25 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Marco Pizzoli wrote:
>
>>
>>
>> On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>> wrote:
>>
>>    Marco Pizzoli wrote:
>>
>>        Hi guys,
>>        I'm running freeipa-server-2.1.4-5.fc16.__**x86_64.
>>
>>
>>        Following the documentation I can see that to uninstall and
>>        reinstall a
>>        freeipa system it is sufficient to:
>>
>>         > ipa-server-install <parameters>
>>         > ipa-server-install --uninstall
>>         > ipa-server-install <parameters>
>>
>>        Well, when re-installing the system, I get this error on the
>>        console:
>>        [cut]
>>        done configuring named.
>>        Configuration of client side components failed!
>>        ipa-client-install returned: Command '/usr/sbin/ipa-client-install
>>        --on-master --unattended --domain unix.mydomain.it
>>        <http://unix.mydomain.it>
>>        <http://unix.mydomain.it> --server freeipa01.unix.mydomain.it
>>        
>> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it>
>> >
>>        <http://freeipa01.unix.__mydom**ain.it <http://mydomain.it>
>>
>>        
>> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it>>>
>> --realm UNIX.MYDOMAIN.IT
>>        <http://UNIX.MYDOMAIN.IT>
>>        <http://UNIX.MYDOMAIN.IT> --hostname freeipa01.unix.mydomain.it
>>        
>> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it>
>> >
>>        <http://freeipa01.unix.__mydom**ain.it <http://mydomain.it>
>>
>>        
>> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it>>>'
>> returned non-zero exit
>>        status 1
>>
>>
>>        I had a look to /var/log/ipaclient-install.log and I saw these
>> lines
>>
>>        [cut]
>>        2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
>>        
>> http://freeipa01.unix.__mydoma**in.it/ipa/config/ca.crt<http://mydomain.it/ipa/config/ca.crt>
>>
>>        
>> <http://freeipa01.unix.**mydomain.it/ipa/config/ca.crt<http://freeipa01.unix.mydomain.it/ipa/config/ca.crt>
>> >
>>        2012-02-14 09:53:39,435 DEBUG stdout=
>>        2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39--
>>        
>> http://freeipa01.unix.__mydoma**in.it/ipa/config/ca.crt<http://mydomain.it/ipa/config/ca.crt>
>>
>>        
>> <http://freeipa01.unix.**mydomain.it/ipa/config/ca.crt<http://freeipa01.unix.mydomain.it/ipa/config/ca.crt>
>> >
>>        Resolving freeipa01.unix.mydomain.it... 192.168.146.131
>>        Connecting to freeipa01.unix.mydomain.it
>>        
>> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it>
>> >
>>        <http://freeipa01.unix.__mydom**ain.it <http://mydomain.it>
>>        
>> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it>
>> >>|192.168.146.131|**:__80...
>>
>>        connected.
>>
>>        HTTP request sent, awaiting response... 200 OK
>>        Length: 1325 (1.3K) [application/x-x509-ca-cert]
>>        Saving to: <E2><80><9C>/etc/ipa/ca.crt<__**E2><80><9D>
>>
>>
>>              0K .
>>        100%  270M=0s
>>
>>        2012-02-14 09:53:39 (270 MB/s) -
>>        <E2><80><9C>/etc/ipa/ca.crt<__**E2><80><9D>
>>
>>        saved [1325/1325]
>>
>>
>>        2012-02-14 09:53:39,436 DEBUG Backing up system configuration file
>>        '/etc/sssd/sssd.conf'
>>        2012-02-14 09:53:39,463 DEBUG Saving Index File to
>>        '/var/lib/ipa-client/__**sysrestore/sysrestore.index'
>>
>>        2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it
>>        <http://unix.csebo.it>
>>        <http://unix.csebo.it> is already configured in existing SSSD
>>        config,
>>
>>        creating a new one.
>>        2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d
>>        /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
>>        2012-02-14 09:53:39,643 DEBUG stdout=
>>        2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain
>>        certificate from file: You are attempting to import a cert with
>>        the same
>>        issuer/serial as an existing cert, but that is not the same cert.
>>
>>
>>        So I tried a new "ipa-server-install --uninstall" and checked
>>        the file
>>        /etc/ipa/ca.crt. And it remained there.
>>        What is the problem?
>>
>>
>>    The problem isn't the existence of the file, it is the existence of
>>    the cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d
>>    /etc/pki/nsdb
>>
>>
>> [root@freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/
>> certutil: could not find certificate named "IPA CA": security library:
>> bad database.
>>
>
> Well that's strange. Can you run: certutil -L -d /etc/pki/nssdb ?
>

More strange... I re-did a freeipa-install and it worked...
Thanks anyway

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to