Thanks for heads up. You mean by the difference between "O=MW" and "O=MELTWATER.COM"?
Petr, is this possible? Can it be validated in the the installer if this is the root cause? Martin On 11/08/2013 01:55 AM, William Leese wrote: > I was able to solve this by recreating my test CA. I believe the problem > was with non-matching Organisation between the CSR and CA - but I dont have > the knowledge to know if this is really required. > > Anyhow, things work, despite not having removed the "-----BEGIN > CERTIFICATE-----" lines this time around. > > Thanks for the help and sorry for wasting your time! > > > -- > William Leese > Production Engineer, > Operations, Asia Pacific > Meltwater Group > m: +81 80 4946 0329 > skype: william.leese1 > w: meltwater.com > > This email and any attachment(s) is intended for and confidential to the > addressee. If you are neither the addressee nor an authorized recipient for > the addressee, please notify us of receipt, delete this message from your > system and do not use, copy or disseminate the information in, or attached > to it, in any way. Our messages are checked for viruses but please note > that we do not accept liability for any viruses which may be transmitted in > or with this message. > > > > On Thu, Nov 7, 2013 at 8:36 PM, Petr Viktorin <pvikt...@redhat.com> wrote: > >> On 11/07/2013 08:34 AM, William Leese wrote: >> >>> >>> [root@vagrant-centos-6 CA]# cat /root/server.pem >>> Certificate: >>> Data: >>> Version: 3 (0x2) >>> Serial Number: 2 (0x2) >>> Signature Algorithm: sha1WithRSAEncryption >>> Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops, >>> CN=vagrant.localdomain/__emailAddress=t...@t.com <mailto:t...@t.com> >>> <mailto:t...@t.com <mailto:t...@t.com>> >>> >>> >>> Validity >>> Not Before: Nov 6 05:12:09 2013 GMT >>> Not After : Nov 6 05:12:09 2014 GMT >>> Subject: O=MELTWATER.COM <http://MELTWATER.COM> >>> <http://MELTWATER.COM>, CN=Certificate >>> >>> Authority >>> [snip] >>> -----BEGIN CERTIFICATE----- >>> MIIDfDCCAmSgAwIBAgIBAjANBgkqhk__iG9w0BAQUFADB5MQswCQYDVQQGEwJK >>> __UDEL >>> MAkGA1UECAwCVEsxDDAKBgNVBAcMA1__RLSzELMAkGA1UECgwCTVcxDDAKBgNV >>> __BAsM >>> A29wczEcMBoGA1UEAwwTdmFncmFudC__5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3 >>> __DQEJ >>> >>> [snip] >>> >>> >>> Try removing everything before the -----BEGIN CERTIFICATE----- line >>> from the PEM. >>> >>> Well that was unexpected: removing the BEGIN Certificate / End lines now >>> makes the install proceed up until: >>> >>> The log file for this installation can be found in >>> /var/log/ipaserver-install.log >>> The PKCS#10 certificate is not signed by the external CA (unknown issuer >>> E=x...@x.com <mailto:x...@x.com>,CN=vagrant-centos-6,OU=JP,O=JP,L=JP,ST= >>> JP,C=JP). >>> >> >> Can you please post more (all) of /var/lig/ipaserver-install.log? We need >> to know where exactly the issue is occuring and what the traceback is. >> >> >> Do I need to do anything to make my freshly created internal CA trusted >>> for the installation? I've tried the usual magic in /etc/pki/tls/certs, >>> but to no avail. >>> >> >> No, --external_ca_file should have been enough. >> >> -- >> Petrł >> > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users