Hi, the issue looks similar to https://pagure.io/freeipa/issue/8614. Did you try installation on a node which was previously installed? There may be a remaining cert in /etc/ipa/ca.crt or in the system-wide trust store (for instance check in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem). If the previous installation had the same domain name, the CA cert subject is the same and the installer tries to import a CA cert similar to the previous one but generated with a different key.
If that's the case you need to uninstall ipa with ipa-server-install --uninstall -U, then delete /etc/ipa/ca.crt and run update-ca-trust + ensure the CA has been removed from /etc/pki/ca-trust. flo On Sat, May 1, 2021 at 7:51 PM lejeczek via FreeIPA-users < [email protected]> wrote: > Hi guys. > > That is quite bizarre, don't you think? It's a first master > installation. > > Configuring directory server (dirsrv) > [1/3]: configuring TLS for DS instance > [error] CalledProcessError: CalledProcessError(Command > ['/usr/bin/certutil', '-d', > 'sql:/etc/dirsrv/slapd-PRIV-COM/', '-A', '-n', 'PRIV.COM IPA > CA', '-t', 'CT,C,C', '-a', '-f', > '/etc/dirsrv/slapd-PRIV-COM/pwdfile.txt'] returned non-zero > exit status 255: 'certutil: could not decode certificate: > SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to > import a cert with the same issuer/serial as an existing > cert, but that is not the same cert.\n') > CalledProcessError(Command ['/usr/bin/certutil', '-d', > 'sql:/etc/dirsrv/slapd-PRIV-COM/', '-A', '-n', 'PRIV.COM IPA > CA', '-t', 'CT,C,C', '-a', '-f', > '/etc/dirsrv/slapd-PRIV-COM/pwdfile.txt'] returned non-zero > exit status 255: 'certutil: could not decode certificate: > SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to > import a cert with the same issuer/serial as an existing > cert, but that is not the same cert.\n') > The ipa-server-install command failed. See > /var/log/ipaserver-install.log for more information > > It's a new install, certainly there is no > '/etc/dirsrv/slapd-PRIV-COM' prior to install. > regards, L. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
