Jeff B wrote:
I'm trying to do an ipa-server-install with an --external-ca but after
it generates the .csr and I sign a .crt I can't run the followup
ips-server-install to import the certificate.
I don't think I'm supposed to run an --uninstall between the
--external-ca and the --external_cert_file installations but I'm not
sure.
Here is what I'm getting:
[root@ipa0 ~]# ipa-server-install --setup-dns --forwarder="10.0.0.53
10.0.1.53" -U -p xxxxxxxx -a xxxxxxxx -u dirsrv -r MYREALM.COM
--external-ca
The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.
This includes:
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Warning: Hostname (ipa0.averesys.com) not found in DNS
The domain name has been calculated based on the host name.
The IPA Master Server will be configured with
Hostname: ipa0.myrealm.com
IP address: 10.0.0.11
Domain name: myrealm.com
Configuring ntpd
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
done configuring pkids.
Configuring certificate server: Estimated time 6 minutes
[1/4]: creating certificate server user
[2/4]: creating pki-ca instance
[3/4]: restarting certificate server
[4/4]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run
ipa-server-install as:
ipa-server-install --external_cert_file=/path/to/signed_certificate
--external_ca_file=/path/to/external_ca_certificate
... Signed the Certificate ...
[root@ipa0 ~]# ipa-server-install --external_cert_file=/root/ipa.crt
--external_ca_file=/root/ca.crt
The log file for this installation can be found in
/var/log/ipaserver-install.log
IPA server is already configured on this system.
[root@ipa0 ~]# cat /var/log/ipaserver-install.log
2011-01-24 11:36:14,214 DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2011-01-24 11:36:14,309 DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2011-01-24 11:36:14,336 DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
Looks like a bug. You should be able to work around it by commenting out
these lines in /usr/sbin/ipa-server-install:
if dsinstance.DsInstance().is_configured() or
cainstance.CADSInstance().is_configured():
sys.exit("IPA server is already configured on this system.")
The python comment is a hash (#).
I opened ticket https://fedorahosted.org/freeipa/ticket/835 to track this.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
